topic Re: Excluding Users from Service Account Values: A Generic Approach? in Splunk Search

How to exclude users from service account values: a generic approach?

AL3Z — Mon, 12 Jun 2023 16:38:28 GMT

Hi,

I'm attempting to create a method to exclude users from service account values without excluding a particular service account. Is there a generic approach we can use to identify and exclude both existing and future service accounts?
How we could write the search for this use case.

Thanks..

Re: Excluding Users from Service Account Values: A Generic Approach?

AL3Z — Sun, 11 Jun 2023 17:41:46 GMT

Any idea

Re: Excluding Users from Service Account Values: A Generic Approach?

PickleRick — Sun, 11 Jun 2023 19:23:24 GMT

Just use a lookup which lists all accounts to exclude.

Re: Excluding Users from Service Account Values: A Generic Approach?

AL3Z — Mon, 12 Jun 2023 02:55:22 GMT

Hi,

What if we get the future service accounts?

Re: Excluding Users from Service Account Values: A Generic Approach?

richgalloway — Mon, 12 Jun 2023 13:20:32 GMT

Update the lookup file as new service accounts are added or removed.

Re: How to exclude users from service account values: a generic approach?

AL3Z — Mon, 12 Jun 2023 15:10:17 GMT

@richgalloway @PickleRick ,

What I need here is like in the event there is a OU=Service IDs ,OU=users,OU=computers exclude all the src_user from the OU=Service IDs only.

Thanks

Re: How to exclude users from service account values: a generic approach?

richgalloway — Mon, 12 Jun 2023 16:40:35 GMT

It would help to have a more defined set of requirements as well sample input and output, but perhaps this will help.

Adjust the fields and rename commands as necessary to match your fields.

Re: How to exclude users from service account values: a generic approach?

AL3Z — Mon, 12 Jun 2023 17:56:57 GMT

@richgalloway ,

Why we need lookup table over here . I don't think we need it .Just I want to exclude all the service accounts from the OU="Service IDs" from an event.

Re: How to exclude users from service account values: a generic approach?

richgalloway — Mon, 12 Jun 2023 18:53:09 GMT

You don't *need* a lookup. You can put an exclude list directly in the SPL, but that may end up being more difficult to maintain.

Re: How to exclude users from service account values: a generic approach?

AL3Z — Sat, 17 Jun 2023 07:02:35 GMT

...

Re: How to exclude users from service account values: a generic approach?

AL3Z — Wed, 14 Jun 2023 03:28:39 GMT

@richgalloway

Any suggestions on this usecase

Thanks

Re: How to exclude users from service account values: a generic approach?

richgalloway — Wed, 14 Jun 2023 14:46:35 GMT

Apart from the redundant "4738" in the macro, this code looks like it should work. How is it failing you?

Re: How to exclude users from service account values: a generic approach?

AL3Z — Sat, 17 Jun 2023 07:03:21 GMT

...

Re: How to exclude users from service account values: a generic approach?

richgalloway — Wed, 14 Jun 2023 17:59:56 GMT

Debug the query by running the commands before the first | in a new query. Verify the desired fields are present. Add the commands up to the next | and verify the fields are still there. Repeat the process until the fields disappear and you'll have found the source. Post the details if you need help determining the cause.

Re: How to exclude users from service account values: a generic approach?

AL3Z — Thu, 15 Jun 2023 18:17:53 GMT

Here OU is multi value field.

Re: How to exclude users from service account values: a generic approach?

AL3Z — Sat, 17 Jun 2023 07:05:36 GMT

Hi , How we can xclude service account from this event.

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{549549625-5488-43494-AHGBA-3E353B0328CEDQS0D}'/><EventID>4738</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-06-16T16:08:38.166868000Z'/><EventRecordID>668676978</EventRecordID><Correlation/><Execution ProcessID='656' ThreadID='6132'/><Channel>Security</Channel><Computer>swrfkeou09.am.win.cisco.com</Computer><Security/></System><EventData><Data Name='Dummy'>-</Data><Data Name='TargetUserName'>BP_william_son</Data><Data Name='TargetDomainName'>AM</Data><Data Name='TargetSid'>AM\BP_william_son</Data><Data Name='SubjectUserSid'>EC\EC_OktaGMSER$</Data><Data Name='SubjectUserName'>EC_OktaGMSER$</Data><Data Name='SubjectDomainName'>EC</Data><Data Name='SubjectLogonId'>0x7e3yd92a4</Data><Data Name='PrivilegeList'>-</Data><Data Name='SamAccountName'>-</Data><Data Name='DisplayName'>-</Data><Data Name='UserPrincipalName'>-</Data><Data Name='HomeDirectory'>-</Data><Data Name='HomePath'>-</Data><Data Name='ScriptPath'>-</Data><Data Name='ProfilePath'>-</Data><Data Name='UserWorkstations'>-</Data><Data Name='PasswordLastSet'>%%1794</Data><Data Name='AccountExpires'>-</Data><Data Name='PrimaryGroupId'>-</Data><Data Name='AllowedToDelegateTo'>-</Data><Data Name='OldUacValue'>0x15</Data><Data Name='NewUacValue'>0x10</Data><Data Name='UserAccountControl'>
%%2048
%%2050</Data><Data Name='UserParameters'>-</Data><Data Name='SidHistory'>-</Data><Data Name='LogonHours'>-</Data></EventData></Event>