Query authentication events from Splunk
search cancel

Query authentication events from Splunk

book

Article ID: 192043

calendar_today

Updated On: 06-13-2025

Products

Information Centric Analytics

Issue/Introduction

Does Broadcom recommend or provide a sample query for importing authentication events (AE) from a Splunk data source into Information Centric Analytics (ICA)?

Environment

Version : 6.x

Component : Splunk Importer

Resolution

The following sample query may be used and modified as needed.

NOTE: Broadcom offers no guarantee of the suitability or operability of this query in your environment. If you require assistance with modifying or troubleshooting this or any other custom query, work with your Splunk administrator or engage professional services.

index = windows_security 
    (Logon_Type != 0 AND Logon_Type != 1 AND Logon_Type != 5) AND
    (EventCode = 4624 OR EventCode = 4625 OR EventCode = 4648) AND NOT
    (user = "SVC" OR user = "*$" OR user = "-" OR user = "ANONYMOUS LOGON" OR user = "SYSTEM" OR user = "sys*") Logon_Process != "Kerberos" Authentication_Package != "Kerberos"
    | eval dvc_nt_host = lower(dvc_nt_host)
    | lookup asset_lookup_by_str asset AS dvc_nt_host OUTPUT ip
    | rename ip AS dvc_ip
    | eval deviceReceiptTime = round(_time,0)
    | rename src_ip AS sourceAddress
    | rename src_nt_host AS sourceHostName
    | rename Account_Domain AS SourceNtDomain
    | rename dvc_nt_host AS destinationHostname
    | rename dest_nt_domain AS destinationNtDomain
    | rename Account_Name AS sourceUserName
    | rename user AS destinationUserName
    | rename dvc_ip AS destinationAddress
    | rename category AS Type
    | eval Logon_Type_Name = case
            (
                Logon_Type=2,"Interactive Physical Logon",
                Logon_Type=3, "Network Logon",
                Logon_Type=4, "Batch Job Logon",
                Logon_Type=7, "Unlock",
                Logon_Type=8, "Network Cleartext Logon",
                Logon_Type=9, "Run As Different User",
                Logon_Type=10, "Remote Authentication",
                Logon_Type=11, "Cached Interactive",
                true(), "None"
            )
    | eval successBit = case
            (
                action="success", 1,
                action="failure", 0,
                true(), 0
            )
    | rename RecordNumber AS SourceEventID
    | stats count AS eventCount
            BY  successBit,
                deviceReceiptTime,
                destinationUserName,
                sourceAddress,
                sourceHostName,
                SourceNtDomain,
                sourceUserName,
                destinationHostname,
                destinationNtDomain,
                EventCode,
                Type,
                Logon_Type,
                Logon_Type_Name,
                action,
                destinationAddress,
                SourceEventID 
    | table eventCount,
            successBit,
            deviceReceiptTime,
            destinationUserName,
            sourceAddress,
            sourceHostName,
            SourceNtDomain,
            sourceUserName,
            destinationHostname,
            destinationNtDomain,
            EventCode,
            Type,
            Logon_Type,
            Logon_Type_Name,
            action,
            destinationAddress,
            SourceEventID
Powered by Wolken Software