Solved: Re: Can you help me create a dashboard based on a ...

gopenshaw · ‎10-25-2018

I'm trying to create a dashboard based on a number of Windows events and I have been banging my head up against this one all day.
The event structure is always similar to:

LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=$computername
TaskCategory=Logon
OpCode=Info
RecordNumber=299255
Keywords=Audit Success
Message=An account was successfully logged on.

Subject:
    Security ID:        NULL SID
    Account Name:       -
    Account Domain:     -
    Logon ID:       0x0

Logon Information:
    Logon Type:     3
    Restricted Admin Mode:  -
    Virtual Account:        No
    Elevated Token:     No

Impersonation Level:        Impersonation

New Logon:
    Security ID:        $DOMAIN\$username
    Account Name:       $username
    Account Domain:     $FQDN
    Logon ID:       $LOGON_ID
    Linked Logon ID:        0x0
    Network Account Name:   -
    Network Account Domain: -
    Logon GUID:     $LOGON_GUID

I've been trying to extract the Security IDs as two separate fields and so far, in this particular context, I have failed. I've tried a number of things. The closest i've gotten is using a field transformation to combine the two and then splitting. However, the split is not always on the same delimiter, e.g. some Security IDs have a space between, so I can't split on that.

I actually have this working for a different check using the following:

index=wineventlog EventCode=4740 | eval temp=split(member_id,"$DOMAIN\\") | eval "Locked Account"=mvindex(temp,1) | rename Caller_Computer_Name as "Lockout Source",_time as "Lockout Event Time" | convert ctime("Lockout Event Time") | table "Lockout Event Time", "Locked Account", "Lockout Source"

(member_id is a concatenation of both Security_IDs)
However, this doesn't work for the above example because the 2nd Security ID is not always $DOMAIN\$username.

Hope this makes sense!

mdelwaide · ‎10-25-2018

Have you tried extracting the Security IDs by creating a new field representing the parent? We had the same problem, users wanted to have a distinct field for each Security IDs and we used an extract in Props.conf to do it

[WinEventLog:Security]
EXTRACT-SUBJECT_SUB_Extract = Subject\s?:\s+Security ID:\s*(?P<Subject_Security_ID>(.*?))\s*Account Name:\s*(?P<Subject_Account_Name>(.*?))\s*Account Domain:\s*(?P<Subject_Account_Domain>.*?)\s*Logon ID:\s*(?P<Subject_Logon_ID>\S*?)
EXTRACT-GROUP_SUB_Extract = Group\s?:\s+Security ID:\s*(?P<Group_Security_ID>(.*?))\s*Group Name:\s*(?P<Group_Group_Name>(.*?))\s*Group Domain:\s*(?P<Group_Group_Domain>(\S*?))\s
EXTRACT-NEWLOGON_SUB_Extract = New Logon:\s+Security ID:\s*(?P<NLogon_Security_ID>(.*?))\s*Account Name:\s*(?P<NLogon_Account_Name>(.*?))\s*Account Domain:\s*(?P<NLogon_Account_Domain>(\S*?))\s+Logon ID:\s*(?P<NLogon_Logon_ID>\S*?)\s

M.

View solution in original post

mdelwaide · ‎10-25-2018

Have you tried extracting the Security IDs by creating a new field representing the parent? We had the same problem, users wanted to have a distinct field for each Security IDs and we used an extract in Props.conf to do it

[WinEventLog:Security]
EXTRACT-SUBJECT_SUB_Extract = Subject\s?:\s+Security ID:\s*(?P<Subject_Security_ID>(.*?))\s*Account Name:\s*(?P<Subject_Account_Name>(.*?))\s*Account Domain:\s*(?P<Subject_Account_Domain>.*?)\s*Logon ID:\s*(?P<Subject_Logon_ID>\S*?)
EXTRACT-GROUP_SUB_Extract = Group\s?:\s+Security ID:\s*(?P<Group_Security_ID>(.*?))\s*Group Name:\s*(?P<Group_Group_Name>(.*?))\s*Group Domain:\s*(?P<Group_Group_Domain>(\S*?))\s
EXTRACT-NEWLOGON_SUB_Extract = New Logon:\s+Security ID:\s*(?P<NLogon_Security_ID>(.*?))\s*Account Name:\s*(?P<NLogon_Account_Name>(.*?))\s*Account Domain:\s*(?P<NLogon_Account_Domain>(\S*?))\s+Logon ID:\s*(?P<NLogon_Logon_ID>\S*?)\s

M.

mstjohn_splunk · ‎11-02-2018

Hi @gopenshaw,

It looks like this user mdelwaide provided the answer you were looking for. I converted their comment to an answer so that you could approve it.

Thanks!

gopenshaw · ‎10-26-2018

Oddly if I create these from the WebUI the exact same config in put into props.conf but it seems to be working fine. Thanks for your help

gopenshaw · ‎10-26-2018

Thanks mdelwaide, this is exactly what I was looking for. I have applied this to our props.conf however the results from a sourcetype="WinEventLog:Security" don't bring up these additional fields.

I have added this to /opt/splunk/etc/apps/Splunk_TA_windows/local/props.conf, and I can see using btool that it has been loaded:

[splunk@ Splunk_TA_windows]$ /opt/splunk/bin/splunk cmd btool props list WinEventLog:Security | grep -i extract
EXTRACT-ACCLOCKOUT_SUB_Extract = Account That Was Locked Out:\s+Security ID:\s*(?P(.?))\s*Account Name:\s(?P(.))
EXTRACT-Account_Creator,Account_Created = (?m)(?s)Account\sName+?:\s+(?[a-zA-Z0-9-_]+).*Account\sName:\s+(?[a-zA-Z0-9-_]+)
EXTRACT-GROUP_SUB_Extract = Group\s?:\s+Security ID:\s(?P(.?))\s*Group Name:\s(?P(.?))\s*Group Domain:\s(?P(\S*?))\s
EXTRACT-NEWACCOUNT_SUB_Extract = New Account:\s+Security ID:\s*(?P(.?))\s*Account Name:\s(?P(.?))\s*Account Domain:\s(?P(\S*))
EXTRACT-NEWLOGON_SUB_Extract = New Logon:\s+Security ID:\s*(?P(.?))\s*Account Name:\s(?P(.?))\s*Account Domain:\s(?P(\S*?))\s+Logon ID:\s*(?P\S*?)\s
EXTRACT-SUBJECT_SUB_Extract = Subject\s?:\s+Security ID:\s*(?P(.?))\s*Account Name:\s(?P(.?))\s*Account Domain:\s(?P.?)\s*Logon ID:\s(?P\S*?)

Any ideas?

Can you help me create a dashboard based on a number of Windows events?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation