10-05-2020 04:46 AM
Im relatively new to Cisco AMP's Orbital Search, but looking for an easy way to have the Orbital Search query a client machine and pull all events 4624 and also want to further filter into logon types 2 (internative logon at keyboard) and type 7 (unlock), but unable to find anything on it......
10-05-2020 05:52 AM - edited 10-05-2020 05:52 AM
Greetings SteveZelik48355,
You would need to create a custom query to filter those particular Login types. Orbital Already has one that will pull all 4624 events. You can use the 'NewCredentials Windows Event Logs' as a base template and modify it as needed.
You can modify the very last option in this query the '%Logon Type:9%' to be whatever the event type you want. Make sure to keep the '%' sign in the query. So if you want to query for Type 2 logons all you need to do is change the number to 2 like '%Logon Type:2%'. I've copied and pasted the raw query below that you can use:
SELECT DATETIME(TimeWritten, "unixepoch", "UTC") AS "TimeWritten", DATETIME(TimeGenerated, "unixepoch", "UTC") AS "TimeGenerated", Logfile, SourceName, EventIdentifier, Type, Message FROM Win32_NtLogEvent WHERE EventIdentifier = "4624" AND REPLACE(Message, char(9), "") LIKE '%Logon Type: 9%';
Just note that you may need to run two queries. One for each of the types you want to retrieve.
Please let me know if you have any questions.
10-05-2020 05:59 AM
Thanks so much for this. One quick question, if I want to modify the line below to look for both logins #2 and 7, how do I put both into the query?
LIKE '%Logon Type: 9%';
10-05-2020 07:07 AM - edited 10-05-2020 07:14 AM
There's not a good way to get both since the query will return the 'messages' in a single column you wont be able to tell them apart without checking each one. However, here is the query that will return both. You may want to do this query from the API as the JSON results would be easier parse with Python:
SELECT DATETIME(TimeWritten, "unixepoch", "UTC") AS "TimeWritten", DATETIME(TimeGenerated, "unixepoch", "UTC") AS "TimeGenerated", Logfile, SourceName, EventIdentifier, Type, Message FROM Win32_NtLogEvent WHERE EventIdentifier = "4624" AND REPLACE(Message, char(9), "") LIKE '%Logon Type:2%' OR EventIdentifier = "4624" AND REPLACE(Message, char(9), "") LIKE '%Logon Type:7%';
[EDIT]
You can also create a job for each query if needed so you dont have to copy and paste the query each time you want to run the search. You could create one job that looks for 7 and another that looks for 2.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide