I have to build a Dashboard to see all Logged in Admins. So i search for Eventcode 4624 and 4634 and Logon Type 2 and 10. But to get these Events only for a specific User group, I have to do a second search like "Give me all members of group....." right? And after that, I have to correlate these searches. If I've done something wrong, please tell me how it really works.
Anyway, I did the search with powershell and I tried several solutions to store all admin names. I tried to store it into a CSV file into an separate index, and I tried to correlate the searches with a subsearch to the second index, with inputlookup to the CSV and with automatic lookup, but in any way the performance is really bad. It is not usable!
What is the best way to do this? Thanks
sourcetype=WinEventLog:Security (EventCode=4624 OR EventCode=4634) (Logon_Type=2 OR Logon_Type=10) | rename Account_Name as SamAccountName | eval Date=strftime(_time, "%Y/%m/%d")| eval LogonType=case(Logon_Type="2", "Local Console Access", Logon_Type="10", "Remote Desktop via Terminal Services")| transaction host user startswith=EventCode=4624 | dedup user _time | search [| inputlookup AD_Admins.csv | fields SamAccountName] | sort - _time | convert timeformat="%d/%m/%y %H:%M:%S" ctime(_time) AS "Datum Zeit" | table host, user, LogonType, Date, "Datum Zeit"
Or another one:
sourcetype=WinEventLog:Security (EventCode=4624 OR EventCode=4634) (Logon_Type=2 OR Logon_Type=10) | rename Account_Name as SamAccountName | search [| inputlookup AD_Admins.csv | fields SamAccountName] | eval Date=strftime(_time, "%Y/%m/%d")| eval LogonType=case(Logon_Type="2", "Local Console Access", Logon_Type="10", "Remote Desktop via Terminal Services")| transaction host user startswith=EventCode=4624 | dedup user _time | convert timeformat="%d/%m/%y %H:%M:%S" ctime(_time) AS "Datum Zeit"
| table host, user, LogonType, Date, "Datum Zeit"
↧