How to get the target Account Name from WinEventLog:Security

rune_hellem — Mon, 20 Nov 2023 15:30:27 GMT

This is an example of an event for EventCode=4726. As you see there are two account name fields which the Splunk App parses as ... two account names

11/19/2023 01:00:38 PM LogName=Security EventCode=4726 EventType=0 ComputerName=dc.acme.com SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=1539804373 Keywords=Audit Success TaskCategory=User Account Management OpCode=Info Message=A user account was deleted. Subject: Security ID: Acme\ScriptRobot Account Name: ScriptRobot Account Domain: Acme Logon ID: 0x997B8B20 Target Account: Security ID: S-1-5-21-329068152-1767777339-1801674531-65826 Account Name: aml Account Domain: Acme Additional Information: Privileges -

I want to search for all events with Subject:Account Name = ScriptRobot and then list all Target Account: Account Name. Knowing that multiline regex can be a bit cumbersome - tried the following search string, but it does not work

index="wineventlog" EventCode=4726 | rex "Subject Account Name:\s+Account Name:\s+(?<SubjectAccount>[^\s]+).*\s+Target Account:\s+Account Name:\s+(?<TargetAccount>[^\s]+)"

Re: How to get the target Account Name from WinEventLog:Security

yuanliu — Tue, 21 Nov 2023 07:10:22 GMT

If Splunk already extracted two Account Names, wouldn't it be simpler to call the first value and second value different names?

index="wineventlog" EventCode=4726 | eval SubjectAccountName = mvindex('Account Name', 0) | eval TargetAccountName = mvindex('Account Name', 1)

Also, I remember that some says Windows events can come in as JSON. If you have structured data, you don't need to worry about these at all.

topic Re: How to get the target Account Name from WinEventLog:Security in Splunk Search

How to get the target Account Name from WinEventLog:Security

Re: How to get the target Account Name from WinEventLog:Security