Edit: After working with Splunk support, this issue is fixed in TA version 8.5.0.
I recently upgraded our Windows TA from 8.0.0 to 8.2.0. I've noticed that with the Event IDs relating to users being removed or added to groups (4728, 4729, 4732) the user removed or added is logged by Windows with their full DN. Splunk before the upgrade was pulling the full DN and extracting it into the user field. Now it seems to not be doing the same. Our DNs contain "Lastname, Firstname" with the log having that first comma escaped.
12/09/2021 00:00:00 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4732
EventType=0
Type=Information
ComputerName=domaincontroller
TaskCategory=Security Group Management
OpCode=Info
RecordNumber=1111111111
Keywords=Audit Success
Message=A member was added to a security-enabled local group.
Subject:
Security ID: CONTOSO\user_admin
Account Name: user_admin
Account Domain: CONTOSO
Logon ID: 0xD5D5D5DA
Member:
Security ID: CONTOSO\FLastname
Account Name: CN=Lastname\, Firstname,OU=Users,DC=CONTOSO,DC=com
Group:
Security ID: CONTOSO\Group_RW
Group Name: Group_RW
Group Domain: CONTOSO
This is extracted correctly into the Account_Name field, though both the Subject and Member users are placed into Account_Name as an mv field. For some reason, when this same value is extracted into user, it gets extracted only as "Lastname\"
I've done a diff on the default\props and transforms and didn't see any changes to the extractions of this field that I can find, and I had no customization here. I'm at a bit of a loss as to why this would even change. We are using the WinEventLog:Security sourcetype as well. Other extractions seem to be working as intended.