I am setting up dashboards for certain Active Directory security events for Splunk Light. When I search, for example, all accounts enabled and disabled it shows x2 values for "Account_Name". One is Subject and the other is Target (obviously), is there a way to filter out the "Subject" when I try to sort this search into a visualized chart? I want the outcome graph/chart to display only the Target accounts that were enabled/disabled and not display the user account who did it.
"Date" "Time" LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4722 EventType=0 Type=Information ComputerName= TaskCategory=User Account Management OpCode=Info RecordNumber=118575896 Keywords=Audit Success Message=A user account was enabled. Subject: Security ID: "SID" Account Name: "account-name" Account Domain: "domain" Logon ID: "logon-id" Target Account: Security ID: "SID" Account Name: "account-name" Account Domain: "domain"
Can you post the search that you are using to drive this chart? That will make it easier to figure out how to get the result you want.
source="wineventlog:security" EventCode=4722 OR EventCode=4725 | stats count by Account_Name
Thanks! Are the Target Account and Subject different events? In short if they are different events then you should be able to filter them out before your run the stats command.
The target account name and subject account name are part of the same event (if you look at the example above).
It logs which user performed the action and which user the action was being performed on.
I was hoping there was a way to filter out the "Subject Account Name" and have the chart sorted by "Target Account Name" only.
There is a way to do this but will have to ask smarter Splunkers for some tips.
Do your own field extraction and use that instead of the "free" ones, like this:
... | rex "(?ms)[\r\n]+EventCode=4722.*[\r\n]+Target Account:[\r\n]+\s+Security\s+ID:\s+\"?(?<MyTargetID>[^\"]+)\"?[\r\n]"