Getting Data In

Reporting on NT User Logins?

strueblood
Explorer

I've been asked to monitor peoples NT login in the morning. As I look through the security logs on my domain controllers there are so many login events. Is there a specific event that a user has first logged into the network?

Suggestions?

Tags (2)
0 Karma

southeringtonp
Motivator

Unfortunately, doing this on Windows is not quite as straightforward as one might expect.

If all you care about is the first time a user hit the network, then use Splunk's search language to just isolate the first occurrence. Most of the time, you'll want Event 4624 or 528, depending on your Windows version. The general form would be:

sourcetype="windows-snare" Success EventCode=4624 NOT user="*$"
| eval logonTime=_time
| bucket _time span=1d
| stats min(logonTime) as logonTime by user, _time
| convert ctime(logonTime)

The bucket command, and the inclusion of _time in the stats command, are optional but will break it out separately for each day.

Similarly, if you just want the first event for a user for a given day:

sourcetype="windows-snare" Success EventCode=4624 NOT user="*$"
| sort _time
| dedup user

It's important to understand that these events do not necessarily indicate a user logging in by typing their credentials -- almost any network activity can generate this event.

If you want to track when a user actually entered their name and password, and not just when they hit a network share or other resource, you need to look mainly for Logon Type 2, 7, 10, or 11. These correspond to Interactive Logon, Screen Unlock, Remote Desktop Logon, and workstations logins with Cached Credentials. Unfortunately, they will generally appear only on the workstation at which the event occurred, and not on a domain controller.

For newer windows versions, searching for Event 4776 (Credential Validation) will tell you when a domain controller actually checked the password. But remember that it won't appear for logons using cached credentials.

You may also want to take a look at Randy Franklin Smith's site, and at eventid.net. The first has a good quick reference sheet here:
     http://www.ultimatewindowssecurity.com/securitylog/quickref/Default.aspx

ftk
Motivator

Great answer. There is also an app on Splunkbase that provides EventID lookups and some easy links to eventid.net via splunk workflows: http://splunkbase.splunk.com/apps/All/4.x/Add-On/app:Windows+Event+Codes+Lookup

0 Karma

dwaddle
SplunkTrust
SplunkTrust

To Windows, a login is a login is a login. There's nothing special about a user's "first" login of the day. You may want to rephrase this as something more like "How can I write a search to find the first time a user logs in each day, assuming midnight starts a new day?" (Or 5AM, or 6AM, or whatever)

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...