"Account_Name" field listing in events 4624, 4768 ...

bapruski · ‎05-15-2012

I am working on a query to extract all successful authentications (events 4624, 4768 and 4769) per user per day. The problem I am running into is the fact that the Account_Name field can be present more than once (twice in the event 4624). If I use the query:

source="wineventlog:security" (EventCode="4624" OR (EventCode="4768" OR EventCode="4769") (action="success")

the first occurrence of the Account_Name will always be selected for the user name, which in case of event 4624 is wrong and I get false results. If I change the index for the search of the Account_Name to point at the second value:

eval login_account=mvindex(Account_Name,1)

than only events 4624 will be processed and I will loose the information from events 4768 and 4769.

There must be a way of writing an expression which will take care of both cases. Can somebody shed some light here?

Thanks

kristian_kolb · ‎05-15-2012

From looking at some similar logs, it seems that the first value for Account_Name is "-" for EventCode 4624. If that is also your case, then the following will correct that;

source="wineventlog:security" EventCode="4624" OR EventCode="4768" OR EventCode="4769" 
| eval Account_Name=if(Account_Name="-", (mvindex(Account_Name,1)), Account_Name)  
| timechart span=1d c by Account_Name

Though in my case all the "corrected" Account_Names are all machine names (e.g. SERVER01$). Depending on the number of users/events and the time over which you run your search, this can take some time to compute.

Hope this helps,

Kristian

bapruski · ‎05-15-2012

That did the trick. Thanks!

woodcock · ‎07-25-2017

Don't forget to click Accept to close the question.

"Account_Name" field listing in events 4624, 4768 and 4769 (Windows 2008)

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life