Splunk Search

Detecting MS14-068 (AD) exploitation attempts. How to concatenate the Domain Name and Account name in the search query?

elaineli1010
Engager

I'm trying to query instances where Security_ID != {Domain Name}\Account_Name in the security event logs per Microsoft's guidance, but I can't concatenate the Domain Name and Account Name in the query.

E.g. CONTOSO\bob != bob

All help is appreciated!!

1 Solution

tmccamant
Explorer

I believe this is what you are looking for.

sourcetype=WinEventLog:Security EventCode=4624  | eval Logon_Account_Name = mvindex(Account_Name,1) | eval Logon_Account_Name=upper(Logon_Account_Name) |  eval Sec_ID = mvindex(Security_ID,1) | eval temp=split(Sec_ID,"\\") | eval Sec_ID=mvindex(temp,1) | eval Sec_ID=upper(Sec_ID) | Where Sec_ID != Logon_Account_Name | stats count by Sec_ID, Logon_Account_Name

View solution in original post

tmccamant
Explorer

I believe this is what you are looking for.

sourcetype=WinEventLog:Security EventCode=4624  | eval Logon_Account_Name = mvindex(Account_Name,1) | eval Logon_Account_Name=upper(Logon_Account_Name) |  eval Sec_ID = mvindex(Security_ID,1) | eval temp=split(Sec_ID,"\\") | eval Sec_ID=mvindex(temp,1) | eval Sec_ID=upper(Sec_ID) | Where Sec_ID != Logon_Account_Name | stats count by Sec_ID, Logon_Account_Name

View solution in original post

elaineli1010
Engager

That worked wonderfully! Thank you so much!

0 Karma

tmccamant
Explorer

No Problem. I'm glad I could help.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!