https://community.splunk.com/t5/Splunk-Enterprise-Security/Event-ID-4738-How-to-alert-when-source-user-and-target-user-are/m-p/425809#M5426 <P>Ah, yeah, the joy of those plain text windows events and their non-unique field names that get mapped to multi-valued fields in Splunk.</P> <P>So in that case Account_Name is multi-valued, right? Just split it using <CODE>mvindex</CODE>:</P> <PRE><CODE> sourcetype=WinEventLog:Security EventCode=4738 | eval source_user = mvindex(Account_Name,0) | eval target_user = mvindex(Account_Name,1) | where source_user = target_user </CODE></PRE> <P>But actually Splunk TA Windows already maps those 2 user names to <CODE>src_user</CODE> and <CODE>user</CODE> for CIM compatibility. So you should simply be able to do <CODE>| where src_user = user</CODE>.</P> Thu, 31 May 2018 18:52:31 GMT FrankVl 2018-05-31T18:52:31Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Event-ID-4738-How-to-alert-when-source-user-and-target-user-are/m-p/425806#M5423 <P>Greetings all, </P> <P>I am currently using a simple Splunk query to return all changes to a user account. </P> <P><STRONG><EM>sourcetype=WinEventLog:Security EventCode=4738 Account_Name=USERNAME</EM></STRONG></P> <P>An idea for an alert came to me and I have been having some issues getting it to work. How would I go about modifying this query to return only those entries where the source and target usernames are the same ?</P> <P>The purpose of this is to alert me when anyone makes changes to their own accounts in AD.</P> <P>Thanks in advance all ! </P> Thu, 31 May 2018 17:26:51 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Event-ID-4738-How-to-alert-when-source-user-and-target-user-are/m-p/425806#M5423 fzuazo 2018-05-31T17:26:51Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Event-ID-4738-How-to-alert-when-source-user-and-target-user-are/m-p/425807#M5424 <P>You'd need to refresh my mind on the actual field names of source user and target user for these particular events, but the basic principle would be:</P> <PRE><CODE>sourcetype=WinEventLog:Security EventCode=4738 | where source_user = target_user </CODE></PRE> Thu, 31 May 2018 17:53:11 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Event-ID-4738-How-to-alert-when-source-user-and-target-user-are/m-p/425807#M5424 FrankVl 2018-05-31T17:53:11Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Event-ID-4738-How-to-alert-when-source-user-and-target-user-are/m-p/425808#M5425 <P>This is where I am stuck. </P> <P>I have been trying to find the field names for the data but the way Splunk sees the event is below. I know it's impossible but the source and target seem to be the same. </P> <P>Subject:<BR /> Security ID: DOMAIN\USERNAME<BR /> <STRONG>Account Name:</STRONG> USERNAME<BR /> Account Domain: DOMAIN<BR /> Logon ID: VALUE</P> <P>Target Account:<BR /> Security ID: DOMAIN\USERNAME<BR /> <STRONG>Account Name:</STRONG> USERNAME<BR /> Account Domain: DOMAIN</P> Thu, 31 May 2018 18:12:24 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Event-ID-4738-How-to-alert-when-source-user-and-target-user-are/m-p/425808#M5425 fzuazo 2018-05-31T18:12:24Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Event-ID-4738-How-to-alert-when-source-user-and-target-user-are/m-p/425809#M5426 <P>Ah, yeah, the joy of those plain text windows events and their non-unique field names that get mapped to multi-valued fields in Splunk.</P> <P>So in that case Account_Name is multi-valued, right? Just split it using <CODE>mvindex</CODE>:</P> <PRE><CODE> sourcetype=WinEventLog:Security EventCode=4738 | eval source_user = mvindex(Account_Name,0) | eval target_user = mvindex(Account_Name,1) | where source_user = target_user </CODE></PRE> <P>But actually Splunk TA Windows already maps those 2 user names to <CODE>src_user</CODE> and <CODE>user</CODE> for CIM compatibility. So you should simply be able to do <CODE>| where src_user = user</CODE>.</P> Thu, 31 May 2018 18:52:31 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Event-ID-4738-How-to-alert-when-source-user-and-target-user-are/m-p/425809#M5426 FrankVl 2018-05-31T18:52:31Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Event-ID-4738-How-to-alert-when-source-user-and-target-user-are/m-p/425810#M5427 <P>Both of your recommendations worked for me. </P> <P>Thank you Frank. </P> Thu, 31 May 2018 19:36:08 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Event-ID-4738-How-to-alert-when-source-user-and-target-user-are/m-p/425810#M5427 fzuazo 2018-05-31T19:36:08Z