Simple Search and confusion


(Corey H) #1

I am currently working on searching for failed "computer accounts" in windows event ID 4776.
Data
2018 Jun 14 16:21:31 WinEvtLog: Security: AUDIT_FAILURE(4776): Microsoft-Windows-Security-Auditing: (no user): no domain: somedoman.com: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: CCOMPUTERNAME$ Source Workstation: CCOMPUTERNAME Error Code: 0xc0000064

Basicly I am just trying to do
data.id:4776 AND full_log: "Account: CC*$"
or computers that start with CC.

I just cant seem to get it working.

Thanks for the help in advance.


(Tyler Smalley) #2

Can you give an example of what the document looks like which your indexing?


(Corey H) #3

Thanks for the Reply.

The system is configured to receive messages from OSSEC, so all the documents are just windows event logs.

Windows uses a $ sign at the end of the computer name to signify that it is a computer account.
So a normal user would have an account like "CoreyH" and the computer that is joined to the domain would have account like COMPUTER$

I am trying to search for computers that start with CC and end with $ so that I can send the request to the correct team.

SO a single doc is:
2018 Jun 14 16:21:31 WinEvtLog: Security: AUDIT_FAILURE(4776): Microsoft-Windows-Security-Auditing: (no user): no domain: somedoman.com: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: CCOMPUTERNAME$ Source Workstation: CCOMPUTERNAME Error Code: 0xc0000064

That "$" is no supposed to be a special character, but for the life of me, I cant seem to use it in a search.

Thanks for you time.
Corey


(Corey H) #4

BUMP :slight_smile:


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.