New Ranks & Badges For The Community!
Notice something different? The ranks and associated badges have gone "Star Fleet". See what they all mean HERE
Highlighted
Absent Member.
Absent Member.
1509 views

Windows event 4624

Jump to solution

Hi All

Windows event 4624

When the login succeeded ,console is displayed.

I do not want to display the login of users participating domain.

I want to set the filter of the rule.

I want to know how to set up.

regards

manda

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Highlighted

First set your filter to show all Events in the Last say 15 minutes in an Active Channel ------

Once you have that your going to parse down via an inline filter for the External ID of 4624 --------

Than once you have just 4624's coming though ------- double click one of them and see where or to what field the Account Domain Field was mapped to in the CEF event

Also keep this in Mind ----- Account Domain in the first group is usually for the Device itself ------- the New Logon ---- Account Domain ---- is typically where the User occurs in the Local or Active Directory environment -------- the Source Network Address ----- can be the source workstation or servers IP - or the Domain Controller trying to verify the account to the Primary Domain Controller. ----------

An account was successfully logged on.

Subject:
  Security ID: NULL SID
  Account Name: -
Account Domain: -
  Logon ID: 0x0
  Logon Type: 3

Impersonation Level: Impersonation

New Logon:
  Security ID: LB\DEV1$
  Account Name: DEV1$
  Account Domain: LB
  Logon ID: 0x894B5E95
  Logon GUID: {f09e5f81-9f19-5f11-29b8-8750c7c02be3}

Process Information:
  Process ID: 0x0
  Process Name: -

Network Information:
  Workstation Name:
  Source Network Address: 10.42.1.161
  Source Port: 59752

Detailed Authentication Information:
  Logon Process: Kerberos
  Authentication Package: Kerberos
  Transited Services: -
  Package Name (NTLM only):

Once you have reviewed all of that ----- building the filter is easy ------- as the conditions will be verified in testing --------

View solution in original post

0 Likes
2 Replies
Highlighted

First set your filter to show all Events in the Last say 15 minutes in an Active Channel ------

Once you have that your going to parse down via an inline filter for the External ID of 4624 --------

Than once you have just 4624's coming though ------- double click one of them and see where or to what field the Account Domain Field was mapped to in the CEF event

Also keep this in Mind ----- Account Domain in the first group is usually for the Device itself ------- the New Logon ---- Account Domain ---- is typically where the User occurs in the Local or Active Directory environment -------- the Source Network Address ----- can be the source workstation or servers IP - or the Domain Controller trying to verify the account to the Primary Domain Controller. ----------

An account was successfully logged on.

Subject:
  Security ID: NULL SID
  Account Name: -
Account Domain: -
  Logon ID: 0x0
  Logon Type: 3

Impersonation Level: Impersonation

New Logon:
  Security ID: LB\DEV1$
  Account Name: DEV1$
  Account Domain: LB
  Logon ID: 0x894B5E95
  Logon GUID: {f09e5f81-9f19-5f11-29b8-8750c7c02be3}

Process Information:
  Process ID: 0x0
  Process Name: -

Network Information:
  Workstation Name:
  Source Network Address: 10.42.1.161
  Source Port: 59752

Detailed Authentication Information:
  Logon Process: Kerberos
  Authentication Package: Kerberos
  Transited Services: -
  Package Name (NTLM only):

Once you have reviewed all of that ----- building the filter is easy ------- as the conditions will be verified in testing --------

View solution in original post

0 Likes
Highlighted
Absent Member.
Absent Member.

Dear Christopher Kaija

Thank you for your answer.

I'm understood.

regards

manda

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.