Dashboards & Visualizations

For Active Directory events, how to remove "Subject Account_Name" when setting up a dashboard?

dhrechkosy
Explorer

I am setting up dashboards for certain Active Directory security events for Splunk Light. When I search, for example, all accounts enabled and disabled it shows x2 values for "Account_Name". One is Subject and the other is Target (obviously), is there a way to filter out the "Subject" when I try to sort this search into a visualized chart? I want the outcome graph/chart to display only the Target accounts that were enabled/disabled and not display the user account who did it.

E.g.,

"Date" "Time"

LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4722
EventType=0
Type=Information
ComputerName= 
TaskCategory=User Account Management
OpCode=Info
RecordNumber=118575896
Keywords=Audit Success
Message=A user account was enabled.

Subject:
    Security ID:                "SID"
    Account Name:              "account-name"
    Account Domain:          "domain"
    Logon ID:                  "logon-id"

Target Account:
    Security ID:                "SID"
    Account Name:              "account-name"
    Account Domain:          "domain"

Thanks,
Devyn

0 Karma

woodcock
Esteemed Legend

Do your own field extraction and use that instead of the "free" ones, like this:

... | rex "(?ms)[\r\n]+EventCode=4722.*[\r\n]+Target Account:[\r\n]+\s+Security\s+ID:\s+\"?(?<MyTargetID>[^\"]+)\"?[\r\n]"
0 Karma

rbittner_splunk
Splunk Employee
Splunk Employee

Thanks! Are the Target Account and Subject different events? In short if they are different events then you should be able to filter them out before your run the stats command.

0 Karma

dhrechkosy
Explorer

The target account name and subject account name are part of the same event (if you look at the example above).

It logs which user performed the action and which user the action was being performed on.

I was hoping there was a way to filter out the "Subject Account Name" and have the chart sorted by "Target Account Name" only.

0 Karma

rbittner_splunk
Splunk Employee
Splunk Employee

There is a way to do this but will have to ask smarter Splunkers for some tips.

0 Karma

rbittner_splunk
Splunk Employee
Splunk Employee

Can you post the search that you are using to drive this chart? That will make it easier to figure out how to get the result you want.

0 Karma

dhrechkosy
Explorer
source="wineventlog:security" EventCode=4722 OR EventCode=4725  | stats count by Account_Name
0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...