topic Re: User Account Activity_Add/Del/Modify in Alerting

User Account Activity_Add/Del/Modify

brpsingara — Tue, 21 May 2019 14:19:15 GMT

Is possible to single report for below ? if possible, could you please help me.

4625 An account failed to log on

4720 A user account was created

4722 A user account was enabled

4723 An attempt was made to change an account's password

4724 An attempt was made to reset an accounts password

4725 A user account was disabled

4726 A user account was deleted

4738 A user account was changed

4727 A security-enabled global group was created

4731 A security-enabled local group was created

thanks in advance.

Re: User Account Activity_Add/Del/Modify

koshyk — Wed, 30 Sep 2020 00:37:21 GMT

The best way to handle this is to install Splunk_TA_windows addon on your Search Heads. this should already have quite lot of logic to extract fields and identify the user actions. I'm expecting the tags like "add",
Please see the code sample from the TA

## EventCodes 4720, 4741, 624, 645
[windows_account_created]
search = sourcetype=*:Security (EventCode=4720 OR EventCode=4741 OR EventCode=624 OR EventCode=645)
#tags = add

Then you just need to query : index=* tag=add

After you put the TA and still if you haven't extracted, you need to extract the fields/eventtypes yourself
for instances, create an TA of your own and put line in eventtypes.conf and create all your eventcodes into single tag.

[windows_custom_my_eventcodes]
search = sourcetype=*:Security (EventCode=4720 OR xxxxx)
#tags = custom_tag_1

and in tags.conf, just add the custom_tag_1
and in final report you just need to do index=* tag=custom_tag_1

Re: User Account Activity_Add/Del/Modify

brpsingara — Tue, 21 May 2019 17:44:41 GMT

This is looks like out of my knowledge in Splunk, could you please share any videos or demo for this.

Re: User Account Activity_Add/Del/Modify

koshyk — Tue, 21 May 2019 19:29:26 GMT

A cheaper and easier solution (quick solution), would be

Put the above list into a csv e.g. winEventCodes_custom.csv with headers (EventID,EventIDDescription) .So it looks like

EventID,EventIDDescription
4625,"An account failed to log on"
4720,"A user account was created"
4722 ,"A user account was enabled"
...

Then do a lookup in your search something like (to get a count)

 index=* sourcetype=WinEventLog:*   
| lookup winEventCodes_custom.csv EventID OUTPUT EventIDDescription
| stats count by EventID,EventIDDescription

You can do any type of analysis based on above query. (like get users, like SecurityID etc.)

Re: User Account Activity_Add/Del/Modify

brpsingara — Wed, 30 Sep 2020 00:41:53 GMT

Thanks Koshyk for helping me.

No Result yet found for below code,

index=* sourcetype=WinEventLog:*

| lookup winEventCodes_custom EventID OUTPUT EventIDDescription
| stats count by EventID,EventIDDescription

But, i am able to see the failed logs, If i run below code.

sourcetype=WinEventLog:Security EventCode=4625
| Stats count by Account_Name, EventCode, Workstation_Name
| Sort - count

Why i am not getting same entries for lookup code?

Re: User Account Activity_Add/Del/Modify

brpsingara — Wed, 22 May 2019 15:23:13 GMT

Thanks, its working .....

Re: User Account Activity_Add/Del/Modify

brpsingara — Wed, 22 May 2019 15:33:09 GMT

created csv file "winEventCodes_custom.csv"

EventCode,EventCodeDescription
4625,"An account failed to log on"
4720,"A user account was created"

4722 ,"A user account was enabled"

index=* sourcetype=WinEventLog:*

| lookup winEventCodes_custom EventCode OUTPUT EventCodeDescription
| stats count by EventCode,EventCodeDescription

-------- this is working for me.