Windows Event Logs report for one employee #12444
-
|
I am super new to SO but I have had it runnning for a few months now and I am collecting windows logs from 3 DC's and and few workstations using the elastic fleet with SO agent. I can run a query and get the event logs for log on/logoff/lock etc. My question is how do easily run a query to export to a report? I have watched all videos and read everything, but it is just standing out to me. Our log file max on Windows DC is 4GB so I am missing about 30 days of logs I would like to add to a report. This is where our SIEM should be able to come into play. I have SO and CheckMK right now collecting in the testing. I am green on both but at least I know the data is probably there. If I run the hunt against this I am getting the information I need and the tags look correct, I think?? [ Do I just run the hunt for 52 days and somehow export the report? My hunt is probably something like event id 4625,4624,434,4647,4800,4801 with an employee user id? Or do I use Kibana? Here is the output of that: event.code Kibana doesnt look like I am able to query the user though. Which is strange because if I use event.code:4625 AND user.name:employee name is doesnt work but if I run user.name:employee it comes back with all kinds of events. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
I ended up figuring this out. This is key before you get all of the stuff you need from AD. Once we did that we can see it all now in kibana. |
Beta Was this translation helpful? Give feedback.
I ended up figuring this out. This is key before you get all of the stuff you need from AD.
https://techcommunity.microsoft.com/t5/windows-server-for-it-pro/active-directory-hunting-set-up-advanced-monitoring-with-sysmon/m-p/3977120
Once we did that we can see it all now in kibana.