I have searched and know that WinEvent ID 4720 shows that an account was created. I cannot seem to find how to show me WHO created the account(s). I've tried:
index=_audit action=edit_user operation=create
I've done some searches within AD and I do not see anything related to account creation, knowing that I just created some accounts recently. Can someone help me define a search that will show WHO created an account? I'm suspecting that some advanced auditing is not turned on in AD, but cannot confirm. Help!
So, I tried this:
index=wineventlog Eventcode=4720 | eval Creator=mvindex(Account_Name,0)
index=wineventlog Eventcode=4720 | eval Creator=mvindex(Account_Name,1)
index=wineventlog Eventcode=4720 | eval Creator=mvindex(Account_Name,0), CreatED=mvindex(Account_Name,1)
index=wineventlog Eventcode=4720 | eval Creator=mvindex(Account_Name,0), CreatOR=mvindex(Account_Name,1)
All of them come up with 0 events, and I set it to "All time" for the period. Hopefully you see why I am frustrated...
If haven't solved your issue, your search should look like this:
index="windows_security" sourcetype="wineventlog:security" (EventCode=4720)
| eval creator=mvindex(Account_name,0), Created=mvindex(Account_name,1)
| Table Created, Creator
You won't find that information in the _audit index. That is where Splunk audits itself.
The creator of an account specified in the 4720 event in the Subject fields. See https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4720 for more information. When the event is indexed into Splunk, the Subject.Account_Name and New_Account,Account_Name fields probably will be combined into a multi-valued Account_Name field. Use
mvindex(Account_Name,0) to get one and
mvindex(Account_Name,1) to get the other.
sorry to be thick, but I actually got that part.... I'm looking for something on the left side of your pipe ( | ), how to view these. I would imagine it would be something like "index= something" although I'm not making much progress in my attempts.
I follow you all the way until you say "use mvindex(Account_name,0). Can you give me a Splunk example? Sorry, I'm trying to learn to use Splunk....
Thank you btw, I am going to also look into the Windows security log to see if I can get the Subject information that way.
A multi-valued field contains more than one value and cannot be accessed like other fields. So Splunk gave us 'mv' commands and functions. To get the first value of a multi-value field, use the
mvindex function inside an
eval. To expand my example above:
... | eval Creator=mvindex(Account_Name,0), Created=mvindex(Account_Name,1) | ....