Successful Logons – Windows

WinEventLog:Security
SplunkNinja
You already voted!

The following is a Splunk query that will display a timechart for all successful logons to windows:

source="WinEventLog:security" EventCode=4624 Logon_Type IN (2,7,10,11) NOT user IN ("DWM-*", "UMFD-*")
| timechart span=1h count by host

Here’s a detailed table showing similar information with greater detail:

source="WinEventLog:security" EventCode=4624 Logon_Type IN (2,7,10,11) NOT user IN ("DWM-*", "UMFD-*")
| eval Workstation_Name=lower(Workstation_Name)
| eval host=lower(host)
| eval hammer=_time 
| bucket span=12h hammer 
| stats values(Logon_Type) as "Logon Type" count sparkline by user host, hammer, Workstation_Name
| rename hammer as "12 hour blocks" host as "Target Host" Workstation_Name as "Source Host"
| convert ctime("12 hour blocks")
| sort - "12 hour blocks"

Splunk Query Repository

Leave A Comment? Click here to cancel reply.

Splunk Query Repository

Successful Logons – Windows

Related Queries

DLL Serach Oreder Hijacking (mitre : T1574.001)

Search for disabled AD accounts that have been re-enabled

Zerologon Detection (CVE-2020-1472)

Leave A Comment? Click here to cancel reply.