Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with windows security event log search string

adrianmiron
Explorer
‎10-20-2013 12:21 PM

In order to find out if and when a member was added to a security group,I have done a search for EventCode=4728. The search returned the following:

10/20/2013 01:10:24 PM

LogName=Security

SourceName=Microsoft Windows security auditing.

EventCode=4728

EventType=0

Type=Information

ComputerName=server1.domainname.com

TaskCategory=Security Group Management

OpCode=Info

RecordNumber=5551234

Keywords=Audit Success

Message=A member was added to a security-enabled global group.

Subject:

Security ID:        domainname\jdoe
Account Name:       jdoe
Account Domain:     domainname
Logon ID:       0x1e3ef1d1

Member:

Security ID:        domainname\jdoe
Account Name:       CN=John Doe,OU=My Users OU,DC=domainname,DC=com

Group:

Security ID:        domainname\Test Users
Group Name:     Test Users
Group Domain:       domainname

Additional Information:
Privileges: -

Once I viewed this information I changed my search to look like this:

EventCode=4727 |rename Account_Name as Modifier | rename Group_Name as "Modified Group" |table _time, Host, Modifier, "Modified Group", user

My problem is that I don't know how to deal with the two account names when I display the information in a table. The Modifier displays the right information which is the first account name. I would like user to display the information from "Account Name: CN=John Doe,OU=My Users OU,DC=domainname,DC=com" and label it as "Member Added" as that is the member that was added to the Test Users group name.

Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎10-20-2013 01:22 PM

Since Account_Name is a multivalued field, you'll have to get the correct value out of the array.

index=blah sourcetype=bleh EventCode = 4727 
| eval Modifier = mvindex(Account_Name, 0)
| eval Member_Added = mvindex(Account_Name, 1) 
| rename Group_Name AS Modified_Group 
| table _time host Modifier Modified_Group Member_Added

http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/CommonEvalFunctions

/K

View solution in original post

Reply
Solved! Jump to solution

SQservicedesk
Explorer
‎12-20-2015 01:21 AM

Thank you so much! This is extremely helpful for any event id pulled from the Windows Security Log. Often there are 2 or 3 fields named the same (e.g. Account_Name) and you only want to pull the one value out. Kristian's answer solved my issue big time.

0 Karma
Reply
Solved! Jump to solution

adrianmiron
Explorer
‎10-21-2013 06:47 AM

Thank you Kristian. That worked, and you have opened my eyes to the fact that there are evaluation functions. I am very new at this. Thanks again for your help, it is much appreciated.

0 Karma
Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎10-20-2013 01:22 PM

Since Account_Name is a multivalued field, you'll have to get the correct value out of the array.

index=blah sourcetype=bleh EventCode = 4727 
| eval Modifier = mvindex(Account_Name, 0)
| eval Member_Added = mvindex(Account_Name, 1) 
| rename Group_Name AS Modified_Group 
| table _time host Modifier Modified_Group Member_Added

http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/CommonEvalFunctions

/K

Reply
Get Updates on the Splunk Community!

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...

Splunk AppDynamics Agents Webinar Series

Mark your calendars! On June 24th at 12PM PST, we’re going live with the second session of our Splunk ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open! If you ...
Top