Splunk Enterprise Security

Who Created AD accounts?

lm_dh
New Member

I have searched and know that WinEvent ID 4720 shows that an account was created. I cannot seem to find how to show me WHO created the account(s). I've tried:
index=_audit action=edit_user operation=create
I've done some searches within AD and I do not see anything related to account creation, knowing that I just created some accounts recently. Can someone help me define a search that will show WHO created an account? I'm suspecting that some advanced auditing is not turned on in AD, but cannot confirm. Help!

0 Karma

lm_dh
New Member

So, I tried this:
index=wineventlog Eventcode=4720 | eval Creator=mvindex(Account_Name,0)
and
index=wineventlog Eventcode=4720 | eval Creator=mvindex(Account_Name,1)
and
index=wineventlog Eventcode=4720 | eval Creator=mvindex(Account_Name,0), CreatED=mvindex(Account_Name,1)
and
index=wineventlog Eventcode=4720 | eval Creator=mvindex(Account_Name,0), CreatOR=mvindex(Account_Name,1)

All of them come up with 0 events, and I set it to "All time" for the period. Hopefully you see why I am frustrated...

0 Karma

Timmy2790
Engager

Hey Man,

If haven't solved your issue, your search should look like this:

index="windows_security" sourcetype="wineventlog:security" (EventCode=4720)

| eval creator=mvindex(Account_name,0), Created=mvindex(Account_name,1)

| Table Created, Creator

 

Results!

 

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You won't find that information in the _audit index. That is where Splunk audits itself.

The creator of an account specified in the 4720 event in the Subject fields. See https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4720 for more information. When the event is indexed into Splunk, the Subject.Account_Name and New_Account,Account_Name fields probably will be combined into a multi-valued Account_Name field. Use mvindex(Account_Name,0) to get one and mvindex(Account_Name,1) to get the other.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

lm_dh
New Member

sorry to be thick, but I actually got that part.... I'm looking for something on the left side of your pipe ( | ), how to view these. I would imagine it would be something like "index= something" although I'm not making much progress in my attempts.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The left side of the pipe depends on your environment. index=wineventlog EventCode=4720 would be my first guess.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

lm_dh
New Member

I will do some digging. Thank you! I'll post back with my results!

0 Karma

lm_dh
New Member

I follow you all the way until you say "use mvindex(Account_name,0). Can you give me a Splunk example? Sorry, I'm trying to learn to use Splunk....
Thank you btw, I am going to also look into the Windows security log to see if I can get the Subject information that way.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

A multi-valued field contains more than one value and cannot be accessed like other fields. So Splunk gave us 'mv' commands and functions. To get the first value of a multi-value field, use the mvindex function inside an eval. To expand my example above: ... | eval Creator=mvindex(Account_Name,0), Created=mvindex(Account_Name,1) | ....

---
If this reply helps you, an upvote would be appreciated.
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>