This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Reports for user activity (login and log-off) on Windows

ONaqellari
Contributor
Contributor

‎2022-01-19 09:10 AM - edited ‎2022-01-19 09:13 AM

Dear community, i would like to have your opinion and help in order to create reports for user activity on windows such as log-in and log-out. Based on windows Logon events and Logon type it seems kind of frustrating and it appears like the numbers of log in for one specific user are two high comparing to the real situations. I have tried query like this:

event.cat.name = 'User.Activity.Successful Logins' && device.type = 'winevent_nic' && logon.type = '10' || logon.type = '2'

Currently our logs for user activity are being gathered from our Domain Controller and not from any windows computer one by one. 

Labels:
0 Likes
6 REPLIES 6

MaximMarchenko
Occasional Contributor
Occasional Contributor

‎2022-01-24 10:15 PM

Hello.

Actually, DC does'nt gather logon/logoff events of your workstations: 4624/4625/4647 & Logon Types 2(interactive logon/7(unblock)/10(remote logon).

You can find these events Only on your Workstations.

So if you want to collect such events, you have to gather them from workstations.

Domain Controller gathers only events 4624 for Logon Type 3(network auth and several more) of your users.

But you can collect 4768/4769/4770/4771/4774/4776/4778/4779 Kerberos events, but there are Lot of them and you have to correlate several such event to report, for example, one success logon.

 

0 Likes

ONaqellari
Contributor
Contributor
In response to MaximMarchenko

‎2022-01-25 03:16 AM

Hello @MaximMarchenko 

Yes you are right. Actually i noticed that the logs registered on workstation locally do not match with those on DC. However still i can see some logon type 2 coming from DC

0 Likes

MaximMarchenko
Occasional Contributor
Occasional Contributor
In response to ONaqellari

‎2022-01-25 03:58 AM

If you see thant ip.dst/host.dst is your DC - Logon type 2 from DC means somebody login to your DC directly, imho.

 

0 Likes

ONaqellari
Contributor
Contributor
In response to MaximMarchenko

‎2022-01-25 04:02 AM

🙂 

I understand 🙂 Well it makes sense 

0 Likes

ONaqellari
Contributor
Contributor
In response to MaximMarchenko

‎2022-01-25 07:19 AM

Do you think if there is any way to enable for example Audit Logs on DC in order to get such activity to SIEM ?

0 Likes

MaximMarchenko
Occasional Contributor
Occasional Contributor
In response to ONaqellari

‎2022-01-25 09:21 PM

From my own exploration there is no way to do this: LogonType 2/7/10 of domain computers are stored locally on these computres.

By enabling policy, you've mentioned you will be able only get Kerberos events(like "ticket was granted", etc), which is painfully to correlate and they don't store LogonType in them.

For example, you can read this article :

(about 4624 Event - successfull logon):

"This event records every successful attempt to log on to the local computer. It includes critical information about the logon type (e.g. interactive, batch, network, or service), SID, username, network information, and more. Monitoring this particular event is crucial as the information regarding logon type is not found in DCs."

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.