Windows account activity overview
As a Windows system administrator, you are responsible for account maintenance. You need better awareness into account based activity. In the event of an issue, this type of information can serve as a starting place for troubleshooting, so you'd like to have it in an easy-to-access table.
Data required
Procedure
- Verify that you have deployed the Splunk Add-on for Microsoft Windows to the search heads and Splunk Universal Forwarders on the monitored systems. For more information, see About installing Splunk add-ons.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
index=windows OR index=wineventlog sourcetype=wineventlog |dedup EventCode |rex field=EventCodeDescription (?<account_desc>account) |where EventCodeDescription NOT null AND account_desc NOT null |table _time dest_nt_domain dest_nt_host src_user EventCode EventCodeDescription |rename dest_nt_domain AS Domain dest_nt_host AS Host src_user AS User
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search | Explanation |
---|---|
index=windows OR index=wineventlog sourcetype=wineventlog |
Search Windows events. Your index names may be different. |
|dedup EventCode |
Remove duplicate event codes. |
|rex field=EventCodeDescription (?<account_desc>account) |
Match and capture the work account from the event code description, then store it in the capture field “account_desc”. |
|where EventCodeDescription NOT null AND account_desc NOT null |
Keep all events that have text both in the description and in the account_desc field. Return only the events where the word “account” is in the description. |
|table _time dest_nt_domain dest_nt_host src_user EventCode EventCodeDescription |
Display the results in a table with columns in the order shown. |
|rename dest_nt_domain AS Domain dest_nt_host AS Host src_user AS User |
Rename the fields as shown for better readability. |
Next steps
The search generates a table, such as the sample table below, of account-related activity that took place in the time frame of the search. This overview would be helpful in starting out a troubleshooting investigation or also as a starting point for other reports.
Some follow-on reports and dashboards could be a search by user to see all the account-related activity for that user. That information could be helpful if a user complains about not being able to logon. The search by user for account-related activity might reveal the cause, for example, that the account was changed, disabled, deleted, or locked out.
_time | Domain | Host | User | EventCode | EventCodeDescription |
---|---|---|---|---|---|
2020-10-06T14:09:04 |
SPLUNKTEL |
dc-cup-01 |
Administrator |
4624 |
An account was successfully logged on |
2020-10-06T14:09:02 |
SPLUNKTEL |
coredev-001 |
cont_bfroto |
4625 |
An account failed to log on |
2020-10-06T14:08:53 |
SPLUNKTEL |
dc-pla-01 |
admin_jfrancis |
4634 |
An account was logged off |
2020-10-06T14:06:34 |
SPLUNKTEL |
dc-den-01 |
admin_mdodson |
4742 |
A computer account was changed |
2020-10-06T14:05:45 |
SPLUNKTEL |
dc-pla-01 |
rogue_admin |
4738 |
A user account was changed |
2020-10-06T14:05:16 |
SPLUNKTEL |
dc-pla-01 |
rogue_admin |
4724 |
An attempt was made to reset an accounts password |
2020-10-06T14:05:02 |
SPLUNKTEL |
dc-pla-01 |
rogue_admin |
4722 |
A user account was enabled |
2020-10-06T14:04:25 |
SPLUNKTEL |
dc-den-01 |
admin_mdodson |
4720 |
A user account was created |
2020-10-06T14:03:29 |
SPLUNKTEL |
dc-pla-01 |
admin_jfrancis |
4725 |
A user account was disabled |
2020-10-06T13:50:18 |
SPLUNKTEL |
dc-pla-01 |
rogue_admin |
4726 |
A user account was deleted |
2020-10-06T13:24:48 |
SPLUNKTEL |
dc-den-01 |
admin_dmullen |
4767 |
A user account was unlocked |
2020-10-06T13:23:49 |
SPLUNKTEL |
dc-pla-01 |
pete_do |
4740 |
A user account was locked out |
2020-10-06T13:17:03 |
SPLUNKTEL |
dc-pla-01 |
rogue_admin |
4743 |
A computer account was deleted |
A good next step is to put this search on a dashboard and add interactive inputs so the search can be narrowed by user, domain, eventcode, or host, all with an adjustable time picker.
The Splunk App for Windows Infrastructure has a large set of other dashboards to report on user activity that are especially useful for verifying group policies related to accounts that are inactive, have no password, have no password expiry, and so forth. The search presented here is fast and easy to run once you have the data, while the Window INF app adds a lot more searches but takes more effort to implement.
Finally, you might be interested in other processes associated with the Monitoring Windows account access use case.