Admin Login without a TGT Request Log

tgt_map.spl

index IN (...) EventID=4627 LogonType IN (3,10)
```Parse out Groups and expand each into it's own event``` 
    | rex field=GroupMembership "(?m)^\s*(?<GroupMV>.+)\n*" max_match=0 
    | mvexpand GroupMV
```Look for Admin Groups https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/security-identifiers-in-windows``` 
    | search GroupMV="*-512}*" OR GroupMV="*-519}*" OR GroupMV="*-544}*" 
    | search TargetUserName!="*$" AND GroupMV!="%{S-1-5-32-544}"
```Map search for the lack of an associated 4768 TGT Request Log```
    | eval startMap=relative_time(_time,"-1m")
    | eval endMap=relative_time(_time,"+1m") 
    | eval unixtime=_time
    | map [
        | search _time>="$startMap$" _time<="$endMap$" index IN (...) EventID=4768 TargetUserName="$TargetUserName$"
        ```append makeresuts events with values that need to be retained from the 4627```
        ```adjust the eval portion to fit your needs```
        | append [| makeresults | eval TargetUserName="$TargetUserName$", GroupMV="$GroupMV$", _time="$unixtime$", EventID="$EventID$"]]
```Transaction to bind 4627 with associated 4768s```
    | transaction TargetUserName maxspan=5m keepevicted=true
```Search for events without an assocated 4768```
    | search NOT EventID=4768
    | table _time host TargetUserName eventcount _raw

The map and transaction times would need to be adjusted for this to truely work. And even if they were I have no idea how resource friendly this would be run. This was more me experimenting with the idea of generatng makeresults events inside a map search. Since, annoyingly map throws away the original events.

This exact detection /might/ work -- but the idea of makeresults with map opens up some fun doors.