topic Re: How to serach for Windows Server created and enabled accounts of type Administrator - excluding Standard user account type. in Splunk Search

How to serach for Windows Server created and enabled accounts of type Administrator - excluding Standard user account type.

acabralg — Thu, 20 Apr 2017 16:51:45 GMT

I thought the following query would return that but I can see accounts of type "Standard User".

"search host=* AND sourcetype=WinEventLog:Security AND (EventCode=4720 OR EventCode=4722) AND Account_Name=Administrator"

Is that possible? And if so, what am I missing?

Thank you.

Re: How to serach for Windows Server created and enabled accounts of type Administrator - excluding Standard user account type.

richgalloway — Thu, 20 Apr 2017 16:56:28 GMT

Have you tried the obvious?

"search host=* AND sourcetype=WinEventLog:Security AND (EventCode=4720 OR EventCode=4722) AND Account_Name=Administrator" NOT "Standard User"

Re: How to serach for Windows Server created and enabled accounts of type Administrator - excluding Standard user account type.

acabralg — Thu, 20 Apr 2017 17:08:23 GMT

I had not.
Since I can see the returned data, I can see that for the "Account Name" name the value is always Administrator.
Also have a feeling that the correct operator would be "!=" and not the "NOT".
There is no "Standard User" value in the data retrieved for the standard user created, therefore I can't filter for that. At least not for the value "Account_Name" but I went ahead and tried your code and it still returns the "Standard User" type account.
So, that is not the solution.

Re: How to serach for Windows Server created and enabled accounts of type Administrator - excluding Standard user account type.

richgalloway — Thu, 20 Apr 2017 17:57:18 GMT

I took your "Standard User" quote literally.
Something in the event is telling you that this Administrator is not really an admin. You need to teach Splunk how to spot that indicator.
NOT tells Splunk to ignore events that contain whatever follows.
!= looks for a specific field. foo!=bar will return events that have a field called 'foo' the value of which is not 'bar'.

Re: How to serach for Windows Server created and enabled accounts of type Administrator - excluding Standard user account type.

acabralg — Thu, 20 Apr 2017 19:57:18 GMT

I have used a text comparison tool to compare the differences btw the data returned for an admin account created vs. a standard user account created but found nothing that identifies an account/user as admin or not.

Have modified the query to check for eventcodes 624 and 626,
host=* AND sourcetype=WinEventLog:Security AND (EventCode=4720 OR EventCode=4722 OR EventCode=624 OR EventCode=626) AND Account_Name=Administrator

I am not sure on how to find this. Is there a way for me to add more data being displayed/returned?

I am working on C# code to handle the result of the query...

Thanks for the suggestion and help with the NOT/!=

Re: How to serach for Windows Server created and enabled accounts of type Administrator - excluding Standard user account type.

acabralg — Fri, 21 Apr 2017 16:00:55 GMT

Since I could not find a way to retrieve the account type, I am currently just retrieving new accounts created and also retrieving EventCode=636(Security Enabled Local Group Member Added) and EventCode=4732 (A member was added to a security-enabled local group).

These events will tell me what groups the created users were added to.
Since I am writing c# code I can retrieve only the users that were added to the Administrators group.

Current search query,
host=* AND sourcetype=WinEventLog:Security AND (EventCode=4720 OR EventCode=4732 OR EventCode=624 OR EventCode=636 ) AND Account_Name=Administrator

Re: How to serach for Windows Server created and enabled accounts of type Administrator - excluding Standard user account type.

adonio — Fri, 21 Apr 2017 16:43:22 GMT

Hello acabralg,
using the EventCode 4720 description here: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4720 you can see there are 2 values under field Account_Name first is for the creator, and second is for the new created user
i use eval mvindex to distinguish between the two.
here is a sample search:

  host=* AND sourcetype=WinEventLog:Security AND (EventCode=4720 OR EventCode=4722) 
    | eval CreatedBy = mvindex(Account_Name,0) 
    | eval New_User = mvindex(Account_Name,1) 
    | search CreatedBy=*
    | table _time EventCode CreatedBy New_User

hope it helps

Re: How to serach for Windows Server created and enabled accounts of type Administrator - excluding Standard user account type.

acabralg — Fri, 21 Apr 2017 16:51:20 GMT

Adonio, where in the response the account type? I see that I can get the account name, account domain and security id for both account creator and account created, but no account type can be found. Thanks for replying.

Re: How to serach for Windows Server created and enabled accounts of type Administrator - excluding Standard user account type.

adonio — Fri, 21 Apr 2017 17:23:18 GMT

to understand better, you are looking for changes or new accounts that has "Administrator" privileges. these accounts might be created by anyone that has permissions to create accounts. is that a true statement?

Re: How to serach for Windows Server created and enabled accounts of type Administrator - excluding Standard user account type.

acabralg — Fri, 21 Apr 2017 18:09:53 GMT

I think that my lack of knowledge on the flow of events related to account creation on a windows server did not allow me to ask the correct question. After some research I believe that there is one event for new account created and another event for adding that account to the "Administrators" group.
Initially I thought that I could retrieve that information from the account creation Event logs - EventCode=4720.
At this point I am looking for newly created accounts that have Administrator privileges. No matter if it was created by someone with permission to or not - I am assuming it will only be created by accounts with permission to do so. I am no longer worried about the enabling of accounts.
I have found a way to do so.
Below is my comment to the previous answer,

"Since I could not find a way to retrieve the account type, I am currently just retrieving new accounts created and also retrieving EventCode=636(Security Enabled Local Group Member Added) and EventCode=4732 (A member was added to a security-enabled local group).

These events will tell me what groups the created users were added to.
Since I am writing c# code I can retrieve only the users that were added to the Administrators group.

Current search query,
host=* AND sourcetype=WinEventLog:Security AND (EventCode=4720 OR EventCode=4732 OR EventCode=624 OR EventCode=636 ) AND Account_Name=Administrator"

Thank you.

Re: How to serach for Windows Server created and enabled accounts of type Administrator - excluding Standard user account type.

adonio — Fri, 21 Apr 2017 18:20:43 GMT

beautiful,
if you are happy with your solution, please post as an answer and mark as accepted. or accept another answer here to close the question
have a great weekend

Re: How to serach for Windows Server created and enabled accounts of type Administrator - excluding Standard user account type.

acabralg — Fri, 21 Apr 2017 18:24:06 GMT

Since I could not find a way to retrieve the account type with the eventcode=4720 only, I am currently just retrieving new accounts created and also retrieving EventCode=636(Security Enabled Local Group Member Added) and EventCode=4732 (A member was added to a security-enabled local group).

These events will tell me which groups the created users were added to.
Since I am writing c# code, I can retrieve only the users that were added to the Administrators group.

Current search query,
host=* AND sourcetype=WinEventLog:Security AND (EventCode=4720 OR EventCode=4732 OR EventCode=624 OR EventCode=636 ) AND Account_Name=Administrator