Who Created AD accounts?

lm_dh · ‎08-21-2019

I have searched and know that WinEvent ID 4720 shows that an account was created. I cannot seem to find how to show me WHO created the account(s). I've tried:
index=_audit action=edit_user operation=create
I've done some searches within AD and I do not see anything related to account creation, knowing that I just created some accounts recently. Can someone help me define a search that will show WHO created an account? I'm suspecting that some advanced auditing is not turned on in AD, but cannot confirm. Help!

lm_dh · ‎08-22-2019

So, I tried this:
index=wineventlog Eventcode=4720 | eval Creator=mvindex(Account_Name,0)
and
index=wineventlog Eventcode=4720 | eval Creator=mvindex(Account_Name,1)
and
index=wineventlog Eventcode=4720 | eval Creator=mvindex(Account_Name,0), CreatED=mvindex(Account_Name,1)
and
index=wineventlog Eventcode=4720 | eval Creator=mvindex(Account_Name,0), CreatOR=mvindex(Account_Name,1)

All of them come up with 0 events, and I set it to "All time" for the period. Hopefully you see why I am frustrated...

Timmy2790 · ‎08-05-2020

Hey Man,

If haven't solved your issue, your search should look like this:

index="windows_security" sourcetype="wineventlog:security" (EventCode=4720)

| eval creator=mvindex(Account_name,0), Created=mvindex(Account_name,1)

| Table Created, Creator

Results!

richgalloway · ‎08-21-2019

You won't find that information in the _audit index. That is where Splunk audits itself.

The creator of an account specified in the 4720 event in the Subject fields. See https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4720 for more information. When the event is indexed into Splunk, the Subject.Account_Name and New_Account,Account_Name fields probably will be combined into a multi-valued Account_Name field. Use mvindex(Account_Name,0) to get one and mvindex(Account_Name,1) to get the other.

---
If this reply helps you, Karma would be appreciated.

lm_dh · ‎08-22-2019

sorry to be thick, but I actually got that part.... I'm looking for something on the left side of your pipe ( | ), how to view these. I would imagine it would be something like "index= something" although I'm not making much progress in my attempts.

richgalloway · ‎08-22-2019

The left side of the pipe depends on your environment. index=wineventlog EventCode=4720 would be my first guess.

---
If this reply helps you, Karma would be appreciated.

lm_dh · ‎08-22-2019

I will do some digging. Thank you! I'll post back with my results!

lm_dh · ‎08-21-2019

I follow you all the way until you say "use mvindex(Account_name,0). Can you give me a Splunk example? Sorry, I'm trying to learn to use Splunk....
Thank you btw, I am going to also look into the Windows security log to see if I can get the Subject information that way.

richgalloway · ‎08-21-2019

A multi-valued field contains more than one value and cannot be accessed like other fields. So Splunk gave us 'mv' commands and functions. To get the first value of a multi-value field, use the mvindex function inside an eval. To expand my example above: ... | eval Creator=mvindex(Account_Name,0), Created=mvindex(Account_Name,1) | ....

---
If this reply helps you, Karma would be appreciated.

Who Created AD accounts?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?