Solved: Re: Can you help me create a dashboard based on a ...

gopenshaw · ‎10-25-2018

I'm trying to create a dashboard based on a number of Windows events and I have been banging my head up against this one all day.
The event structure is always similar to:

LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=$computername
TaskCategory=Logon
OpCode=Info
RecordNumber=299255
Keywords=Audit Success
Message=An account was successfully logged on.

Subject:
    Security ID:        NULL SID
    Account Name:       -
    Account Domain:     -
    Logon ID:       0x0

Logon Information:
    Logon Type:     3
    Restricted Admin Mode:  -
    Virtual Account:        No
    Elevated Token:     No

Impersonation Level:        Impersonation

New Logon:
    Security ID:        $DOMAIN\$username
    Account Name:       $username
    Account Domain:     $FQDN
    Logon ID:       $LOGON_ID
    Linked Logon ID:        0x0
    Network Account Name:   -
    Network Account Domain: -
    Logon GUID:     $LOGON_GUID

I've been trying to extract the Security IDs as two separate fields and so far, in this particular context, I have failed. I've tried a number of things. The closest i've gotten is using a field transformation to combine the two and then splitting. However, the split is not always on the same delimiter, e.g. some Security IDs have a space between, so I can't split on that.

I actually have this working for a different check using the following:

index=wineventlog EventCode=4740 | eval temp=split(member_id,"$DOMAIN\\") | eval "Locked Account"=mvindex(temp,1) | rename Caller_Computer_Name as "Lockout Source",_time as "Lockout Event Time" | convert ctime("Lockout Event Time") | table "Lockout Event Time", "Locked Account", "Lockout Source"

(member_id is a concatenation of both Security_IDs)
However, this doesn't work for the above example because the 2nd Security ID is not always $DOMAIN\$username.

Hope this makes sense!

mdelwaide · ‎10-25-2018

Have you tried extracting the Security IDs by creating a new field representing the parent? We had the same problem, users wanted to have a distinct field for each Security IDs and we used an extract in Props.conf to do it

[WinEventLog:Security]
EXTRACT-SUBJECT_SUB_Extract = Subject\s?:\s+Security ID:\s*(?P<Subject_Security_ID>(.*?))\s*Account Name:\s*(?P<Subject_Account_Name>(.*?))\s*Account Domain:\s*(?P<Subject_Account_Domain>.*?)\s*Logon ID:\s*(?P<Subject_Logon_ID>\S*?)
EXTRACT-GROUP_SUB_Extract = Group\s?:\s+Security ID:\s*(?P<Group_Security_ID>(.*?))\s*Group Name:\s*(?P<Group_Group_Name>(.*?))\s*Group Domain:\s*(?P<Group_Group_Domain>(\S*?))\s
EXTRACT-NEWLOGON_SUB_Extract = New Logon:\s+Security ID:\s*(?P<NLogon_Security_ID>(.*?))\s*Account Name:\s*(?P<NLogon_Account_Name>(.*?))\s*Account Domain:\s*(?P<NLogon_Account_Domain>(\S*?))\s+Logon ID:\s*(?P<NLogon_Logon_ID>\S*?)\s

M.

View solution in original post

mdelwaide · ‎10-25-2018

Have you tried extracting the Security IDs by creating a new field representing the parent? We had the same problem, users wanted to have a distinct field for each Security IDs and we used an extract in Props.conf to do it

[WinEventLog:Security]
EXTRACT-SUBJECT_SUB_Extract = Subject\s?:\s+Security ID:\s*(?P<Subject_Security_ID>(.*?))\s*Account Name:\s*(?P<Subject_Account_Name>(.*?))\s*Account Domain:\s*(?P<Subject_Account_Domain>.*?)\s*Logon ID:\s*(?P<Subject_Logon_ID>\S*?)
EXTRACT-GROUP_SUB_Extract = Group\s?:\s+Security ID:\s*(?P<Group_Security_ID>(.*?))\s*Group Name:\s*(?P<Group_Group_Name>(.*?))\s*Group Domain:\s*(?P<Group_Group_Domain>(\S*?))\s
EXTRACT-NEWLOGON_SUB_Extract = New Logon:\s+Security ID:\s*(?P<NLogon_Security_ID>(.*?))\s*Account Name:\s*(?P<NLogon_Account_Name>(.*?))\s*Account Domain:\s*(?P<NLogon_Account_Domain>(\S*?))\s+Logon ID:\s*(?P<NLogon_Logon_ID>\S*?)\s

M.

mstjohn_splunk · ‎11-02-2018

Hi @gopenshaw,

It looks like this user mdelwaide provided the answer you were looking for. I converted their comment to an answer so that you could approve it.

Thanks!

gopenshaw · ‎10-26-2018

Oddly if I create these from the WebUI the exact same config in put into props.conf but it seems to be working fine. Thanks for your help

gopenshaw · ‎10-26-2018

Thanks mdelwaide, this is exactly what I was looking for. I have applied this to our props.conf however the results from a sourcetype="WinEventLog:Security" don't bring up these additional fields.

I have added this to /opt/splunk/etc/apps/Splunk_TA_windows/local/props.conf, and I can see using btool that it has been loaded:

[splunk@ Splunk_TA_windows]$ /opt/splunk/bin/splunk cmd btool props list WinEventLog:Security | grep -i extract
EXTRACT-ACCLOCKOUT_SUB_Extract = Account That Was Locked Out:\s+Security ID:\s*(?P(.?))\s*Account Name:\s(?P(.))
EXTRACT-Account_Creator,Account_Created = (?m)(?s)Account\sName+?:\s+(?[a-zA-Z0-9-_]+).*Account\sName:\s+(?[a-zA-Z0-9-_]+)
EXTRACT-GROUP_SUB_Extract = Group\s?:\s+Security ID:\s(?P(.?))\s*Group Name:\s(?P(.?))\s*Group Domain:\s(?P(\S*?))\s
EXTRACT-NEWACCOUNT_SUB_Extract = New Account:\s+Security ID:\s*(?P(.?))\s*Account Name:\s(?P(.?))\s*Account Domain:\s(?P(\S*))
EXTRACT-NEWLOGON_SUB_Extract = New Logon:\s+Security ID:\s*(?P(.?))\s*Account Name:\s(?P(.?))\s*Account Domain:\s(?P(\S*?))\s+Logon ID:\s*(?P\S*?)\s
EXTRACT-SUBJECT_SUB_Extract = Subject\s?:\s+Security ID:\s*(?P(.?))\s*Account Name:\s(?P(.?))\s*Account Domain:\s(?P.?)\s*Logon ID:\s(?P\S*?)

Any ideas?

Can you help me create a dashboard based on a number of Windows events?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life