Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2497
Views
10
Helpful
3
Replies

Have Orbital Search pull a specific event id and logon type

SteveZelik48355
Level 1
Level 1

‎10-05-2020 04:46 AM

Im relatively new to Cisco AMP's Orbital Search, but looking for an easy way to have the Orbital Search query a client machine and pull all events 4624 and also want to further filter into logon types 2 (internative logon at keyboard) and type 7 (unlock), but unable to find anything on it......

 

 

 

Labels:
3 Replies 3

dkrull
Cisco Employee
Cisco Employee

‎10-05-2020 05:52 AM - edited ‎10-05-2020 05:52 AM

Greetings SteveZelik48355,

You would need to create a custom query to filter those particular Login types. Orbital Already has one that will pull all 4624 events. You can use the  'NewCredentials Windows Event Logs' as a base template and modify it as needed. 

You can modify the very last option in this query the '%Logon Type:9%' to be whatever the event type you want. Make sure to keep the '%' sign in the query. So if you want to query for Type 2 logons all you need to do is change the number to 2 like '%Logon Type:2%'. I've copied and pasted the raw query below that you can use:

SELECT DATETIME(TimeWritten, "unixepoch", "UTC") AS "TimeWritten", DATETIME(TimeGenerated, "unixepoch", "UTC") AS "TimeGenerated", Logfile, SourceName, EventIdentifier, Type, Message FROM Win32_NtLogEvent WHERE EventIdentifier = "4624" AND REPLACE(Message, char(9), "") LIKE '%Logon Type: 9%';

Just note that you may need to run two queries. One for each of the types you want to retrieve. 

 

Please let me know if you have any questions.

 

Dmitri Krull
Technical Marketing Engineer - Endpoint Security
dkrull@cisco.com
SSCP - 743085
0 Helpful

SteveZelik48355
Level 1
Level 1
In response to dkrull

‎10-05-2020 05:59 AM

Thanks so much for this.  One quick question, if I want to modify the line below to look for both logins #2 and 7, how do I put both into the query?

 

 LIKE '%Logon Type: 9%';
0 Helpful

dkrull
Cisco Employee
Cisco Employee
In response to SteveZelik48355

‎10-05-2020 07:07 AM - edited ‎10-05-2020 07:14 AM

There's not a good way to get both since the query will return the 'messages' in a single column you wont be able to tell them apart without checking each one. However, here is the query that will return both. You may want to do this query from the API as the JSON results would be easier parse with Python:

SELECT DATETIME(TimeWritten, "unixepoch", "UTC") AS "TimeWritten", DATETIME(TimeGenerated, "unixepoch", "UTC") AS "TimeGenerated", Logfile, SourceName, EventIdentifier, Type, Message FROM Win32_NtLogEvent WHERE EventIdentifier = "4624" AND REPLACE(Message, char(9), "") LIKE '%Logon Type:2%' OR EventIdentifier = "4624" AND REPLACE(Message, char(9), "") LIKE '%Logon Type:7%';

[EDIT]

You can also create a job for each query if needed so you dont have to copy and paste the query each time you want to run the search. You could create one job that looks for 7 and another that looks for 2.  

Dmitri Krull
Technical Marketing Engineer - Endpoint Security
dkrull@cisco.com
SSCP - 743085
Customers Also Viewed These Support Documents