Getting Data In

Help with windows security event log search string

adrianmiron
Explorer

In order to find out if and when a member was added to a security group,I have done a search for EventCode=4728. The search returned the following:

10/20/2013 01:10:24 PM

LogName=Security

SourceName=Microsoft Windows security auditing.

EventCode=4728

EventType=0

Type=Information

ComputerName=server1.domainname.com

TaskCategory=Security Group Management

OpCode=Info

RecordNumber=5551234

Keywords=Audit Success

Message=A member was added to a security-enabled global group.

Subject:

Security ID:        domainname\jdoe
Account Name:       jdoe
Account Domain:     domainname
Logon ID:       0x1e3ef1d1

Member:

Security ID:        domainname\jdoe
Account Name:       CN=John Doe,OU=My Users OU,DC=domainname,DC=com

Group:

Security ID:        domainname\Test Users
Group Name:     Test Users
Group Domain:       domainname

Additional Information:
Privileges: -

Once I viewed this information I changed my search to look like this:

EventCode=4727 |rename Account_Name as Modifier | rename Group_Name as "Modified Group" |table _time, Host, Modifier, "Modified Group", user

My problem is that I don't know how to deal with the two account names when I display the information in a table. The Modifier displays the right information which is the first account name. I would like user to display the information from "Account Name: CN=John Doe,OU=My Users OU,DC=domainname,DC=com" and label it as "Member Added" as that is the member that was added to the Test Users group name.

1 Solution

kristian_kolb
Ultra Champion

Since Account_Name is a multivalued field, you'll have to get the correct value out of the array.

index=blah sourcetype=bleh EventCode = 4727 
| eval Modifier = mvindex(Account_Name, 0)
| eval Member_Added = mvindex(Account_Name, 1) 
| rename Group_Name AS Modified_Group 
| table _time host Modifier Modified_Group Member_Added 

http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/CommonEvalFunctions

/K

View solution in original post

SQservicedesk
Explorer

Thank you so much! This is extremely helpful for any event id pulled from the Windows Security Log. Often there are 2 or 3 fields named the same (e.g. Account_Name) and you only want to pull the one value out. Kristian's answer solved my issue big time.

0 Karma

adrianmiron
Explorer

Thank you Kristian. That worked, and you have opened my eyes to the fact that there are evaluation functions. I am very new at this. Thanks again for your help, it is much appreciated.

0 Karma

kristian_kolb
Ultra Champion

Since Account_Name is a multivalued field, you'll have to get the correct value out of the array.

index=blah sourcetype=bleh EventCode = 4727 
| eval Modifier = mvindex(Account_Name, 0)
| eval Member_Added = mvindex(Account_Name, 1) 
| rename Group_Name AS Modified_Group 
| table _time host Modifier Modified_Group Member_Added 

http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/CommonEvalFunctions

/K

Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...