Archive
Highlighted

Is there a feature in the splunk windows add-on to add data value called security_group_id from windows security event log as a individual splunk fields ?

Motivator

Hi All, Currently in splunk, many of the windows log have multiple account ,domains,names etc and they all parse the same way.

Example

index=windows sourcetype="WinEventLog:Security" EventCode=4728 

LogName=Security
 SourceName=Microsoft Windows security auditing.
 EventCode=4728
 EventType=0
 Type=Information
 ComputerName=VMDC01.XXXXXXs.com
 TaskCategory=Security Group Management
 OpCode=Info
 RecordNumber=666661820
 Keywords=Audit Success
 Message=A member was added to a security-enabled global group.

 Subject:
     Security ID:        XXXXX\TEST01
     Account Name:        TEST01
     Account Domain:        TEST
     Logon ID:        0xB7D860D0

 Member:
     Security ID:        XXXXXX\HXXX005
     Account Name:        CN=LXXXX\, Lucy,OU=Disabled Users,DC=XXXXXXs,DC=com

 Group:
     Security ID:        XXXXXX\OutlookCachedModeUsers
     Group Name:        OutlookCachedModeUsers
     Group Domain:        XXXXXX

 Additional Information:
     Privileges:

The resulting logs have a "Group", "Subject" and "Member" that all have a "Security ID" field in them. These need to be parsed individually as GroupSecurityID, SubjectSecurityID, and MemberSecurityID. This should be done for each sub-field.

Kindly guide me on this.

0 Karma
Highlighted

Re: Is there a feature in the splunk windows add-on to add data value called security_group_id from windows security event log as a individual splunk fields ?

SplunkTrust
SplunkTrust

Hey, if you configure the input to render the logs as XML, the fields will have proper unique names, instead of what you experienced.
You could also do this manually for all of them, but it's some work and not very flexible.

0 Karma
Highlighted

Re: Is there a feature in the splunk windows add-on to add data value called security_group_id from windows security event log as a individual splunk fields ?

Motivator

xpac, thanks for your response, but i am not sure whether you had understood the requirement correctly or not. we need below details to be parsed as an individual field in splunk.

Subject:
Security ID: XXXXX\TEST01
Account Name: TEST01
Account Domain: TEST
Logon ID: 0xB7D860D0

SubjectSecurityID, SubjectSecurityAccount Name, SubjectSecurity _Account Domain and SubjectSecurity_LogonID

So kindly guide me on how to get this.

0 Karma
Highlighted

Re: Is there a feature in the splunk windows add-on to add data value called security_group_id from windows security event log as a individual splunk fields ?

Motivator

Hi All,

Any help on this will be much appreciated !!!

0 Karma
Highlighted

Re: Is there a feature in the splunk windows add-on to add data value called security_group_id from windows security event log as a individual splunk fields ?

Builder

I would not use xml rendered events unless (1) there is data you need in the EventData subsection of XML that is not also in the Message field or (2) your Splunk users are competent with t-stats based event data exploration. XML field extraction is incredibly expensive at search time for dense data sets like the windows security logs.

Here is a query I use to differentiate between the subject and member security ids. In cases where differentiation matters I do not rely on SplunkTAWindows auto-extractions. I used custom field extractions instead.

sourcetype=WinEventLog:Security EventCode=4728 
| rex field=Message "(?<summary>.*)" 
| rex field=Message "Subject:\s+Security ID:\s+(?<Subject_Security_ID>.*)\s+Account Name:\s+(?<Subject_Account_Name>.*)\s+Account Domain:\s+(?<Subject_Account_Domain>.*)\s+Logon ID:\s+(?<Subject_Logon_ID>.*)"
| rex field=Message "Member:\s+Security ID:\s+(?<Member_Security_ID>.*)\s+Account Name:\s+(?<Member_Account_Account_Name>.*)"
| rex field=Message "Group:\s+Security ID:\s+(?<Group_Security_ID>.*)\s+Group Name:\s+(?<Group_Group_Name>.*)\s+Group Domain:\s+(?<Group_Group_Domain>.*)"
| table _time host sourcetype EventCode summary, Subject_Security_ID, Subject_Account_Name, Subject_Account_Domain, Subject_Logon_ID, Member_Security_ID Member_Account_Account_Name Group_Security_ID Group_Group_Name Group_Group_Domain
Highlighted

Re: Is there a feature in the splunk windows add-on to add data value called security_group_id from windows security event log as a individual splunk fields ?

Motivator

thanks dstaulcu for your effort on this. Actually my client wants to get this filed value auto extracted instead executing the query by the end users. So could you please guide me on how to create a props & transforms stanza in order to get above same results automatically, with out executing the customized query.

thanks in advance.

0 Karma
Highlighted

Re: Is there a feature in the splunk windows add-on to add data value called security_group_id from windows security event log as a individual splunk fields ?

Builder

can't think of a way to do that off hand but I will challenge myself to figure it out.

0 Karma
Highlighted

Re: Is there a feature in the splunk windows add-on to add data value called security_group_id from windows security event log as a individual splunk fields ?

Motivator

thanks dstaulcu, I am trying to seek help from xpac on this.

0 Karma
Highlighted

Re: Is there a feature in the splunk windows add-on to add data value called security_group_id from windows security event log as a individual splunk fields ?

Builder
0 Karma
Highlighted

Re: Is there a feature in the splunk windows add-on to add data value called security_group_id from windows security event log as a individual splunk fields ?

Motivator

Hi dstaulcu, thanks and sincerely appreciate for your time and effort. great work !!!

hey do I need to upload all the file which are present in the github to the SplunkTAwindows app folder to achieve the results. Kindly guide me on this.

0 Karma