The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Windows Login events with the Logon type translated

Windows login events parsed from the event logs.

select datetime,
       eventid, 
  json_extract(windows_eventlog.data,'$.EventData.TargetUserSid') as 'sid',
  json_extract(windows_eventlog.data,'$.EventData.TargetUserName') as 'username',
  json_extract(windows_eventlog.data,'$.EventData.LogonType') as 'logon_type',
  case json_extract(windows_eventlog.data,'$.EventData.LogonType')
    when '2' then 'INTERACTIVE'
    when '3' then 'NETWORK'
    when '4' then 'BATCH'
    when '5' then 'SERVICE'
    when '7' then 'UNLOCK'
    when '8' then 'NETWORK_CLEAR_TEXT'
    when '9' then 'NEW_CREDENTIALS'
    when '10' then 'REMOTE_INTERACTIVE'
    when '11' then 'CACHED_INTERACTIVE'
  end 'logon_type_description',
  json_extract(windows_eventlog.data,'$.EventData.IpAddress') as 'ip_address',
  json_extract(windows_eventlog.data,'$.EventData.IpPort') as 'ip_port'
from windows_eventlog
where channel = 'Security'
  and eventid ='4624'
  and (data not like '%"LogonType":"4"%' and data not like '%"LogonType":"5"%');
Tags (2)
2 Comments
jnelson
Carbon Black Employee
Status changed to: Approved
 
jnelson
Carbon Black Employee

Updated using the json_extract() function I just learned about