logo

Query Exchange

Built off the open source project Osquery

The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Windows Login events with the Logon type translated

Status: Approved Submitted by on ‎04-09-2021 01:07 PM

Windows login events parsed from the event logs.

select datetime,
       eventid, 
  json_extract(windows_eventlog.data,'$.EventData.TargetUserSid') as 'sid',

  json_extract(windows_eventlog.data,'$.EventData.TargetUserName') as 'username',

  json_extract(windows_eventlog.data,'$.EventData.LogonType') as 'logon_type',

  case json_extract(windows_eventlog.data,'$.EventData.LogonType')

    when '2' then 'INTERACTIVE'

    when '3' then 'NETWORK'

    when '4' then 'BATCH'

    when '5' then 'SERVICE'

    when '7' then 'UNLOCK'

    when '8' then 'NETWORK_CLEAR_TEXT'

    when '9' then 'NEW_CREDENTIALS'

    when '10' then 'REMOTE_INTERACTIVE'

    when '11' then 'CACHED_INTERACTIVE'

  end 'logon_type_description',

  json_extract(windows_eventlog.data,'$.EventData.IpAddress') as 'ip_address',

  json_extract(windows_eventlog.data,'$.EventData.IpPort') as 'ip_port'

from windows_eventlog

where channel = 'Security'

  and eventid ='4624'

  and (data not like '%"LogonType":"4"%' and
       data not like '%"LogonType":"5"%');
Tags (2)
Comment
2 Comments
jnelson
Carbon Black Employee
‎04-09-2021 01:07 PM
‎04-09-2021 01:07 PM
Status changed to: Approved
 
jnelson
Carbon Black Employee
‎08-20-2021 03:00 PM
‎08-20-2021 03:00 PM

Updated using the json_extract() function I just learned about

logo