This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
jmyers1
Absent Member.
Absent Member.
‎2017-03-04 18:44
232 views

How to find actual Windows User logins among the noise?

I'm new to ArcSight and I'm trying to get a list of a specific user's login times. In logger I'm searching on ((categoryBehavior = "/Authentication/Verify" AND destinationUserName = jdoe)) and deviceEventClassId = "Microsoft-Windows-Security-Auditing:4624". 

Unfortunately I'm getting hundreds of events per hour and I don't see another field I can sort on to identify the interactive "type 2"  4624 events.

How can I isolate these down to just the actual user logins?

Thanks in advance for any help!

jm

Labels (2)
Labels
0 Likes
Reply
Report Inappropriate Content
2 Replies
rejinmk
Captain
Captain
‎2017-03-05 11:57

Hi JM,

you can find the logon type from Device Custom Number1  field.

Regards,

Rejin MK

0 Likes
Reply
Report Inappropriate Content
David Bau
Admiral
Admiral
‎2017-03-05 22:33

Hello JM

Which type of connector and architecture are you using to get your windows events?

getting 4624 type 2/10/5 etc can be accomplished in several ways

I recommend implementing event log forwarding using a GPO and installing a native connector to get the forwarded events log on the subscriber server

Best regards

David

0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.