- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Help with windows security event log search strin...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In order to find out if and when a member was added to a security group,I have done a search for EventCode=4728. The search returned the following:
10/20/2013 01:10:24 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4728
EventType=0
Type=Information
ComputerName=server1.domainname.com
TaskCategory=Security Group Management
OpCode=Info
RecordNumber=5551234
Keywords=Audit Success
Message=A member was added to a security-enabled global group.
Subject:
Security ID: domainname\jdoe
Account Name: jdoe
Account Domain: domainname
Logon ID: 0x1e3ef1d1
Member:
Security ID: domainname\jdoe
Account Name: CN=John Doe,OU=My Users OU,DC=domainname,DC=com
Group:
Security ID: domainname\Test Users
Group Name: Test Users
Group Domain: domainname
Additional Information:
Privileges: -
Once I viewed this information I changed my search to look like this:
EventCode=4727 |rename Account_Name as Modifier | rename Group_Name as "Modified Group" |table _time, Host, Modifier, "Modified Group", user
My problem is that I don't know how to deal with the two account names when I display the information in a table. The Modifier displays the right information which is the first account name. I would like user to display the information from "Account Name: CN=John Doe,OU=My Users OU,DC=domainname,DC=com" and label it as "Member Added" as that is the member that was added to the Test Users group name.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since Account_Name is a multivalued field, you'll have to get the correct value out of the array.
index=blah sourcetype=bleh EventCode = 4727
| eval Modifier = mvindex(Account_Name, 0)
| eval Member_Added = mvindex(Account_Name, 1)
| rename Group_Name AS Modified_Group
| table _time host Modifier Modified_Group Member_Added
http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/CommonEvalFunctions
/K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you so much! This is extremely helpful for any event id pulled from the Windows Security Log. Often there are 2 or 3 fields named the same (e.g. Account_Name) and you only want to pull the one value out. Kristian's answer solved my issue big time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Kristian. That worked, and you have opened my eyes to the fact that there are evaluation functions. I am very new at this. Thanks again for your help, it is much appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since Account_Name is a multivalued field, you'll have to get the correct value out of the array.
index=blah sourcetype=bleh EventCode = 4727
| eval Modifier = mvindex(Account_Name, 0)
| eval Member_Added = mvindex(Account_Name, 1)
| rename Group_Name AS Modified_Group
| table _time host Modifier Modified_Group Member_Added
http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/CommonEvalFunctions
/K
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
