Dashboards & Visualizations

For Active Directory events, how to remove "Subject Account_Name" when setting up a dashboard?

Explorer

I am setting up dashboards for certain Active Directory security events for Splunk Light. When I search, for example, all accounts enabled and disabled it shows x2 values for "Account_Name". One is Subject and the other is Target (obviously), is there a way to filter out the "Subject" when I try to sort this search into a visualized chart? I want the outcome graph/chart to display only the Target accounts that were enabled/disabled and not display the user account who did it.

E.g.,

"Date" "Time"

LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4722
EventType=0
Type=Information
ComputerName= 
TaskCategory=User Account Management
OpCode=Info
RecordNumber=118575896
Keywords=Audit Success
Message=A user account was enabled.

Subject:
    Security ID:                "SID"
    Account Name:              "account-name"
    Account Domain:          "domain"
    Logon ID:                  "logon-id"

Target Account:
    Security ID:                "SID"
    Account Name:              "account-name"
    Account Domain:          "domain"

Thanks,
Devyn

0 Karma

Esteemed Legend

Do your own field extraction and use that instead of the "free" ones, like this:

... | rex "(?ms)[\r\n]+EventCode=4722.*[\r\n]+Target Account:[\r\n]+\s+Security\s+ID:\s+\"?(?<MyTargetID>[^\"]+)\"?[\r\n]"
0 Karma

Splunk Employee
Splunk Employee

Thanks! Are the Target Account and Subject different events? In short if they are different events then you should be able to filter them out before your run the stats command.

0 Karma

Explorer

The target account name and subject account name are part of the same event (if you look at the example above).

It logs which user performed the action and which user the action was being performed on.

I was hoping there was a way to filter out the "Subject Account Name" and have the chart sorted by "Target Account Name" only.

0 Karma

Splunk Employee
Splunk Employee

There is a way to do this but will have to ask smarter Splunkers for some tips.

0 Karma

Splunk Employee
Splunk Employee

Can you post the search that you are using to drive this chart? That will make it easier to figure out how to get the result you want.

0 Karma

Explorer
source="wineventlog:security" EventCode=4722 OR EventCode=4725  | stats count by Account_Name
0 Karma