Solved: Detecting MS14-068 (AD) exploitation attempts. How...

elaineli1010 · ‎11-19-2014

I'm trying to query instances where Security_ID != {Domain Name}\Account_Name in the security event logs per Microsoft's guidance, but I can't concatenate the Domain Name and Account Name in the query.

E.g. CONTOSO\bob != bob

All help is appreciated!!

tmccamant · ‎11-20-2014

I believe this is what you are looking for.

sourcetype=WinEventLog:Security EventCode=4624  | eval Logon_Account_Name = mvindex(Account_Name,1) | eval Logon_Account_Name=upper(Logon_Account_Name) |  eval Sec_ID = mvindex(Security_ID,1) | eval temp=split(Sec_ID,"\\") | eval Sec_ID=mvindex(temp,1) | eval Sec_ID=upper(Sec_ID) | Where Sec_ID != Logon_Account_Name | stats count by Sec_ID, Logon_Account_Name

View solution in original post

tmccamant · ‎11-20-2014

I believe this is what you are looking for.

sourcetype=WinEventLog:Security EventCode=4624  | eval Logon_Account_Name = mvindex(Account_Name,1) | eval Logon_Account_Name=upper(Logon_Account_Name) |  eval Sec_ID = mvindex(Security_ID,1) | eval temp=split(Sec_ID,"\\") | eval Sec_ID=mvindex(temp,1) | eval Sec_ID=upper(Sec_ID) | Where Sec_ID != Logon_Account_Name | stats count by Sec_ID, Logon_Account_Name

elaineli1010 · ‎11-25-2014

That worked wonderfully! Thank you so much!

tmccamant · ‎12-02-2014

No Problem. I'm glad I could help.

Detecting MS14-068 (AD) exploitation attempts. How to concatenate the Domain Name and Account name in the search query?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!