Splunk Enterprise Security

Who Created AD accounts?

lm_dh
New Member

I have searched and know that WinEvent ID 4720 shows that an account was created. I cannot seem to find how to show me WHO created the account(s). I've tried:
index=_audit action=edit_user operation=create
I've done some searches within AD and I do not see anything related to account creation, knowing that I just created some accounts recently. Can someone help me define a search that will show WHO created an account? I'm suspecting that some advanced auditing is not turned on in AD, but cannot confirm. Help!

0 Karma

lm_dh
New Member

So, I tried this:
index=wineventlog Eventcode=4720 | eval Creator=mvindex(Account_Name,0)
and
index=wineventlog Eventcode=4720 | eval Creator=mvindex(Account_Name,1)
and
index=wineventlog Eventcode=4720 | eval Creator=mvindex(Account_Name,0), CreatED=mvindex(Account_Name,1)
and
index=wineventlog Eventcode=4720 | eval Creator=mvindex(Account_Name,0), CreatOR=mvindex(Account_Name,1)

All of them come up with 0 events, and I set it to "All time" for the period. Hopefully you see why I am frustrated...

0 Karma

Timmy2790
Engager

Hey Man,

If haven't solved your issue, your search should look like this:

index="windows_security" sourcetype="wineventlog:security" (EventCode=4720)

| eval creator=mvindex(Account_name,0), Created=mvindex(Account_name,1)

| Table Created, Creator

 

Results!

 

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You won't find that information in the _audit index. That is where Splunk audits itself.

The creator of an account specified in the 4720 event in the Subject fields. See https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4720 for more information. When the event is indexed into Splunk, the Subject.Account_Name and New_Account,Account_Name fields probably will be combined into a multi-valued Account_Name field. Use mvindex(Account_Name,0) to get one and mvindex(Account_Name,1) to get the other.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

lm_dh
New Member

sorry to be thick, but I actually got that part.... I'm looking for something on the left side of your pipe ( | ), how to view these. I would imagine it would be something like "index= something" although I'm not making much progress in my attempts.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The left side of the pipe depends on your environment. index=wineventlog EventCode=4720 would be my first guess.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

lm_dh
New Member

I will do some digging. Thank you! I'll post back with my results!

0 Karma

lm_dh
New Member

I follow you all the way until you say "use mvindex(Account_name,0). Can you give me a Splunk example? Sorry, I'm trying to learn to use Splunk....
Thank you btw, I am going to also look into the Windows security log to see if I can get the Subject information that way.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

A multi-valued field contains more than one value and cannot be accessed like other fields. So Splunk gave us 'mv' commands and functions. To get the first value of a multi-value field, use the mvindex function inside an eval. To expand my example above: ... | eval Creator=mvindex(Account_Name,0), Created=mvindex(Account_Name,1) | ....

---
If this reply helps you, an upvote would be appreciated.
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!