Audit Events Click on the event to check it on www.eventid.net

Select time range -24h@h now Computer All * ( ) host=" " OR `event_sources` ("Audit Success" OR "Audit Failure") | stats count by host $interval.earliest$ $interval.latest$ host host Audit Events Audit Failure,Audit Success Failure Success ( ) " " OR Audit Type Audit Type Audit Failure,Audit Success Keyword: * Hide privilege related events Yes No Message!="*privilege*" Hide computer accounts events Yes No Account_Name != "*$$*" Account_Name != "*$$*"

`event_sources` ("Audit Success" OR "Audit Failure") AND $Computer$ AND $keyword$ $nopriv$ $nocomputer$ $Audit_Type$ | fillnull | timechart count $interval.earliest$ $interval.latest$ ellipsisNone 0 visible visible visible linear linear 0 inherit column 50 10 area gaps none 0.01 default shiny all 0 0 ellipsisMiddle none progressbar `event_sources` Failure_Reason=* ("Audit Failure") AND $Computer$ AND $keyword$ $nopriv$ Message != "*privilege*" Account_Name != "*$*" | table host, Account_Name, Failure_Reason | stats count by Account_Name | where count > 2 $interval.earliest$ $interval.latest$ 1 ellipsisNone 0 visible visible visible linear linear 0 inherit pie 50 10 area gaps none 0.01 default shiny all 0 0 ellipsisMiddle right progressbar `event_sources` "Audit Failure" AND $Computer$ AND $keyword$ $nocomputer$ $nopriv$ | fillnull | stats count by host $interval.earliest$ $interval.latest$ 1 ellipsisNone 0 visible visible visible linear linear 0 inherit pie 50 10 area gaps none 0.01 default shiny all 0 0 ellipsisMiddle right progressbar `event_sources` AND $Computer$ AND $keyword$ $nopriv$ $nocomputer$ TaskCategory=Logon $Audit_Type$ | stats dc(Account_Name) $interval.earliest$ $interval.latest$ 1 value block all 0 ["0x6db7c6","0x6db7c6"] [0] progressbar 1 1 0 1 medium standard absolute after 1 1 `event_sources` AND $keyword$ $nopriv$ $nocomputer$ TaskCategory=Logon | stats count $interval.earliest$ $interval.latest$ 1 block all ["0x65a637","0x65a637"] [0] progressbar 1 `event_sources` AND $Computer$ AND $keyword$ $nocomputer$ $nopriv$ Failure_Reason=* ("Audit Failure") | stats count $interval.earliest$ $interval.latest$ block all ["0xd93f3c","0xd93f3c"] [0] progressbar 1 search?q=`event_sources` Failure_Reason=* * ("Audit Failure") AND $Computer$ AND $keyword$ Message != "*privilege*" Account_Name != "*$*" | stats count&earliest=$interval.earliest$&latest=$interval.latest$ `event_sources`AND $Computer$ AND $keyword$ $nocomputer$ $nopriv$ | transaction Security_ID maxspan=180m | search EventCode=4720 OR (EventCode=4732 Administrators) | stats count $interval.earliest$ $interval.latest$ 1 value block none 0 ["0xf58f39","0xf58f39"] [0] progressbar 1 1 0 1 medium standard absolute after 1 1 `event_sources` AND $Computer$ AND $keyword$ $nopriv$ $nocomputer$ $Audit_Type$ | fillnull | eval Type=if(Keywords=="Audit Success",Keywords, Type) | eval Type=if(Keywords=="Audit Failure",Keywords, Type) | stats earliest(_time) as First latest(_time) as Last max(Message) as Sample_Message count by host, EventCode, Type | sort -count host, EventCode, Type, Sample_message | rename EventCode as "EventId" | fieldformat First=strftime(First,"%x %X") | fieldformat Last=strftime(Last,"%x %X") $interval.earliest$ $interval.latest$ 10nonerowprogressbarfalsetrue https://www.eventid.net/display.asp?eventid=$row.EventId$&source=$row.SourceName$&app=SplunkEvId `event_sources` AND $Computer$ AND $keyword$ $nocomputer$ $nopriv$ AND "Audit Failure" | fillnull | eval user=mvindex(Account_Name,1) | table _time, host, EventCode, Message, user, Failure_Reason, Source_Workstation, Caller_Process_Name | rename EventCode as "EventId", Caller_Process_Name as Process $interval.earliest$ $interval.latest$ nonecellprogressbarfalsetrue `event_sources`AND $Computer$ AND $keyword$ $nocomputer$ $nopriv$ AND TaskCategory=Logon AND NOT Account_Name="*ANONYMOUS*" | timechart count $interval.earliest$ $interval.latest$ ellipsisNone 0 visible visible visible linear linear 0 inherit column 50 10 area gaps none 0.01 default shiny all 0 0 ellipsisMiddle none progressbar `event_sources` AND $Computer$ AND $keyword$ $nopriv$ $nocomputer$ "Audit Success" | fillnull | eval Type=if(Keywords=="Audit Success",Keywords, Type) | eval Type=if(Keywords=="Audit Failure",Keywords, Type) | eval user=mvindex(Account_Name,1) | table _time, host, EventCode, Message, user, Source_Workstation, Process_Name | rename EventCode as "EventId", Process_Name as Process $interval.earliest$ $interval.latest$ nonecellprogressbarfalsetrue `event_sources` $Audit_Type$ AND $Computer$ AND $keyword$ $nopriv$ $nocomputer$ | fillnull | eval Type=if(Keywords=="Audit Success",Keywords, Type) | eval Type=if(Keywords=="Audit Failure",Keywords, Type) | eval user=mvindex(Account_Name,1) | table _time, host, EventCode, Type, Message, user $interval.earliest$ $interval.latest$ host, LogName, EventCode, SourceName, Type, Message, user full progressbar all list