topic EventID - account name from 2 different events in one search in Splunk Search

EventID - account name from 2 different events in one search

icewolf69 — Sat, 03 Jul 2021 19:23:16 GMT

Hi all, I'm a Splunk beginner and I'm having a hard time getting this particular search down.

My objective is to get the "Account_Name" field from 2 different event codes (4624 type 10 & 4778). This issue is I can't figure out how to get both the 2nd instance of Account_Name for only the 4624, but the first instance of it in the 4778. This is because windows uses the Account_Name field twice in a lot of logs, but not in some. So I need the first Account_Name in 4778, and the second Account_Name in 4624.

Here is what I have so far. Having trouble putting in that middle piece.

index=main source="WinEventLog:Security" ("eventcode=4624" AND Logon_Type=10) | eval Acct=mvindex(Account_Name,1) ***Also find "eventcode=4778" Account_Name**** | rename Acct as "Account Used on Remote Machine" | rename Client_Name as "Source Machine" | rename ComputerName as "Destination Machine" | timechart count by "Account Used on Remote Machine"

Re: EventID - account name from 2 different events in one search

ITWhisperer — Sat, 03 Jul 2021 21:32:25 GMT

index=main source="WinEventLog:Security" ("eventcode=4624" AND Logon_Type=10)

This has limited your pipeline of events to just event cod 4624. What you probably need to do in include 4778 events as well

index=main source="WinEventLog:Security" ("eventcode=4624" AND Logon_Type=10) OR "eventcode=4778"

You now probably need to merge them into a single event in the pipeline?

You can do this with something like this

| stats count by Account_name

However, this will just give you a count of events by Account_name whether that event was a 4624 or 4778

Given that you seem to be using timechart, do you want the count of events within particular time periods?

Start with the search returning both type of events and decide what you want to do with those.

Re: EventID - account name from 2 different events in one search

icewolf69 — Sat, 03 Jul 2021 22:20:32 GMT

I can add 4778 easy enough, the issue is since they both use different "Account_Name" fields, I get garbage trying to filter either one:

4624:

Account_Name,0 = garbage

Account_Name,1=good, what I want to collect

4778:

Account_Name,0=good, what I want to collect

Account_Name,1=does not exist in log, garbage

If I try to collect both events "Account_Name,0", I get half junk, half good events. It's the same trying to collect "Account_Name,1" because since "Account_Name,1" doesn't exist in the 4778, it has no information to collect and the log is filtered.

I need someway to filter out the 4624 "Account_Name,0".... Or possibly ignore it and join "Account_Name,1" with "Account_Name" from 4778.

Re: EventID - account name from 2 different events in one search

ITWhisperer — Sun, 04 Jul 2021 06:35:55 GMT

| eval Account_name=if(eventcode="4624",mvindex(Account_name,1),mvindex(Account_name,0))