Skip to main content
 
 
 
Splunk Lantern

Windows account activity overview

 

As a Windows system administrator, you are responsible for account maintenance. You need better awareness into account based activity. In the event of an issue, this type of information can serve as a starting place for troubleshooting, so you'd like to have it in an easy-to-access table. 

Data required

Windows: Event logs

Procedure

  1. Verify that you have deployed the Splunk Add-on for Microsoft Windows to the search heads and Splunk Universal Forwarders on the monitored systems. For more information, see About installing Splunk add-ons.
  2. Run the following search. You can optimize it by specifying an index and adjusting the time range.
index=windows OR index=wineventlog  sourcetype=wineventlog
|dedup EventCode 
|rex field=EventCodeDescription (?<account_desc>account) 
|where EventCodeDescription NOT null AND account_desc NOT null 
|table _time dest_nt_domain dest_nt_host src_user EventCode EventCodeDescription 
|rename dest_nt_domain AS Domain dest_nt_host AS Host src_user AS User

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

index=windows OR index=wineventlog sourcetype=wineventlog

Search Windows events. 

 

Your index names may be different. 

|dedup EventCode

Remove duplicate event codes.

|rex field=EventCodeDescription (?<account_desc>account)

Match and capture the work account from the event code description, then store it in the capture field “account_desc”.

|where EventCodeDescription NOT null AND account_desc NOT null 

Keep all events that have text both in the description and in the account_desc field. Return only the events where the word “account” is in the description.

|table _time dest_nt_domain dest_nt_host src_user EventCode EventCodeDescription 

Display the results in a table with columns in the order shown.

|rename dest_nt_domain AS Domain dest_nt_host AS Host src_user AS User

Rename the fields as shown for better readability.

Next steps

The search generates a table, such as the sample table below, of account-related activity that took place in the time frame of the search. This overview would be helpful in starting out a troubleshooting investigation or also as a starting point for other reports. 

Some follow-on reports and dashboards could be a search by user to see all the account-related activity for that user. That information could be helpful if a user complains about not being able to logon. The search by user for account-related activity might reveal the cause, for example, that the account was changed, disabled, deleted, or locked out. 

_time Domain Host User EventCode EventCodeDescription

2020-10-06T14:09:04

SPLUNKTEL

dc-cup-01

Administrator

4624

An account was successfully logged on

2020-10-06T14:09:02

SPLUNKTEL

coredev-001

cont_bfroto

4625

An account failed to log on

2020-10-06T14:08:53

SPLUNKTEL

dc-pla-01

admin_jfrancis

4634

An account was logged off

2020-10-06T14:06:34

SPLUNKTEL

dc-den-01

admin_mdodson

4742

A computer account was changed

2020-10-06T14:05:45

SPLUNKTEL

dc-pla-01

rogue_admin

4738

A user account was changed

2020-10-06T14:05:16

SPLUNKTEL

dc-pla-01

rogue_admin

4724

An attempt was made to reset an accounts password

2020-10-06T14:05:02

SPLUNKTEL

dc-pla-01

rogue_admin

4722

A user account was enabled

2020-10-06T14:04:25

SPLUNKTEL

dc-den-01

admin_mdodson

4720

A user account was created

2020-10-06T14:03:29

SPLUNKTEL

dc-pla-01

admin_jfrancis

4725

A user account was disabled

2020-10-06T13:50:18

SPLUNKTEL

dc-pla-01

rogue_admin

4726

A user account was deleted

2020-10-06T13:24:48

SPLUNKTEL

dc-den-01

admin_dmullen

4767

A user account was unlocked

2020-10-06T13:23:49

SPLUNKTEL

dc-pla-01

pete_do

4740

A user account was locked out

2020-10-06T13:17:03

SPLUNKTEL

dc-pla-01

rogue_admin

4743

A computer account was deleted

A good next step is to put this search on a dashboard and add interactive inputs so the search can be narrowed by user, domain, eventcode, or host, all with an adjustable time picker. 

The Splunk App for Windows Infrastructure has a large set of other dashboards to report on user activity that are especially useful for verifying group policies related to accounts that are inactive, have no password, have no password expiry, and so forth. The search presented here is fast and easy to run once you have the data, while the Window INF app adds a lot more searches but takes more effort to implement. 

Finally, you might be interested in other processes associated with the Monitoring Windows account access use case.