Splunk Enterprise Security

Who Created AD accounts?

lm_dh
New Member

I have searched and know that WinEvent ID 4720 shows that an account was created. I cannot seem to find how to show me WHO created the account(s). I've tried:
index=_audit action=edit_user operation=create
I've done some searches within AD and I do not see anything related to account creation, knowing that I just created some accounts recently. Can someone help me define a search that will show WHO created an account? I'm suspecting that some advanced auditing is not turned on in AD, but cannot confirm. Help!

0 Karma

lm_dh
New Member

So, I tried this:
index=wineventlog Eventcode=4720 | eval Creator=mvindex(Account_Name,0)
and
index=wineventlog Eventcode=4720 | eval Creator=mvindex(Account_Name,1)
and
index=wineventlog Eventcode=4720 | eval Creator=mvindex(Account_Name,0), CreatED=mvindex(Account_Name,1)
and
index=wineventlog Eventcode=4720 | eval Creator=mvindex(Account_Name,0), CreatOR=mvindex(Account_Name,1)

All of them come up with 0 events, and I set it to "All time" for the period. Hopefully you see why I am frustrated...

0 Karma

Timmy2790
Engager

Hey Man,

If haven't solved your issue, your search should look like this:

index="windows_security" sourcetype="wineventlog:security" (EventCode=4720)

| eval creator=mvindex(Account_name,0), Created=mvindex(Account_name,1)

| Table Created, Creator

 

Results!

 

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You won't find that information in the _audit index. That is where Splunk audits itself.

The creator of an account specified in the 4720 event in the Subject fields. See https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4720 for more information. When the event is indexed into Splunk, the Subject.Account_Name and New_Account,Account_Name fields probably will be combined into a multi-valued Account_Name field. Use mvindex(Account_Name,0) to get one and mvindex(Account_Name,1) to get the other.

---
If this reply helps you, Karma would be appreciated.
0 Karma

lm_dh
New Member

sorry to be thick, but I actually got that part.... I'm looking for something on the left side of your pipe ( | ), how to view these. I would imagine it would be something like "index= something" although I'm not making much progress in my attempts.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The left side of the pipe depends on your environment. index=wineventlog EventCode=4720 would be my first guess.

---
If this reply helps you, Karma would be appreciated.
0 Karma

lm_dh
New Member

I will do some digging. Thank you! I'll post back with my results!

0 Karma

lm_dh
New Member

I follow you all the way until you say "use mvindex(Account_name,0). Can you give me a Splunk example? Sorry, I'm trying to learn to use Splunk....
Thank you btw, I am going to also look into the Windows security log to see if I can get the Subject information that way.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

A multi-valued field contains more than one value and cannot be accessed like other fields. So Splunk gave us 'mv' commands and functions. To get the first value of a multi-value field, use the mvindex function inside an eval. To expand my example above: ... | eval Creator=mvindex(Account_Name,0), Created=mvindex(Account_Name,1) | ....

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...