Windows service account login attempts
Service accounts are important as they are associated with applications or services on the operating system. They also have border privileges and greater access to infrastructure. You want easy insight into what is going on with these accounts.
Data required
Microsoft: Windows security logs
Procedure
- Verify that you deployed the add-on to the search heads and Splunk Universal Forwarders on the monitored systems. For more information, see About installing Splunk add-ons.
- Verify that you have enabled the
WinEventLog://Security
input on all Active Directory domain controllers. - Run the following search. You can optimize it by specifying an index and adjusting the time range.
eventtype=windows_logon_failure OR eventtype=windows_logon_success user=svc* |fields user, status, _time,Logon_Type |eval Logon_User=lower(user) |stats count BY _time,status,Logon_User,Logon_Type |eventstats sum(count) AS l_cnt BY Logon_User,Logon_Type |eval Logon_Types=case(Logon_Type="0","(".l_cnt.") Local-System",Logon_Type="2","(".l_cnt.") Interactive",Logon_Type="3","(".l_cnt.") Network",Logon_Type="4","(".l_cnt.") Batch",Logon_Type="5","(".l_cnt.") Service",Logon_Type="7","(".l_cnt.") Screen Unlock",Logon_Type="8","(".l_cnt.") Network Cleartext",Logon_Type="9","(".l_cnt.") New Credentials-RunAs",Logon_Type="10","(".l_cnt.") Remote Interactive",Logon_Type="11","(".l_cnt.") Cached Interactive",Logon_Type="255" OR Logon_Type="0xFF","(".l_cnt.") Failed") |stats max(_time) AS latest, min(_time) AS earliest, count AS sesscount, values(Logon_Types) AS Session_Types, count(eval(status="success")) AS success_count, count(eval(status="failure")) AS fail_count BY Logon_User |eval First_Attempt=strftime(earliest, "%m/%d/%Y %H:%M:%S"),Last_Attempt=strftime(latest, "%m/%d/%Y %H:%M:%S"),Fail_Percent=round((fail_count/sesscount)*100,2),Total_Attempts=fail_count+success_count,Success_Percent=round((success_count/sesscount)*100,2),Fail_Percent=Fail_Percent."% (".tostring(fail_count,"commas").")" |sort 0 -Fail_Percent, -Total_Attempts |eval Success_Percent=Success_Percent."% (".tostring(success_count,"commas").")",Total_Attempts=tostring(Total_Attempts,"commas") |table Logon_User Total_Attempts Fail_Percent Success_Percent First_Attempt Last_Attempt,Session_Types
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search | Explanation |
---|---|
|
Search for only Windows logon events that are a success or failure. These event types are defined in the Splunk Add-on for Microsoft Windows. |
|
Search only users with svc at the start of the user name. These are service accounts. |
|
Show only the fields listed. |
|
Normalize logon names to all lowercase to make comparisons easier. |
|
Calculate an initial count to 1 for fields in the BY clause. This sets up the running total for the |
|
Calculate a running total of |
|
Format the output that shows the logon type descriptor and the count of the type returned by the search. The count is surrounded by parenthesis. |
|
Aggregate time to latest and earliest using |
|
Format latest and earliest time value from epoch to calendar format. Count sessions, success, and failures. Calculate the percent of failures and percent of successes of session count. Format the "out of" failed percent value with the percent sign and show the total failed count to the right in parentheses. |
|
Sort with the highest failed percentage and highest number of total attempts first, overriding the default limit indicated by the 0. |
|
Format the success percent output to show the percent sign and show the total count in parenthesis. |
|
Display the results in a table with columns in the order shown. |
Next steps
Sample results are displayed in the following table and give an easy-to-read summary of logon activity for service accounts. Some of the values could be used for alerting, such as too many failed logins as a percentage, failed logons during certain times, and failures on certain machines. Most of these are security or compliance related, but they could also inform troubleshooting. For example, failed updates or installation could be correlated to failed logons.
Logon_User |
Total_ |
Fail_ |
Success_ |
First_ |
Last_ |
Session_ |
|
---|---|---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Finally, you might be interested in other processes associated with the Monitoring Windows account access use case.