Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Displaying Changes in Smartcard-based authentication for Active Directory

LexSplunker
Engager
‎04-01-2026 11:54 AM

I know this has always been kind of a sore subject due to the use of the userAccountControl property flags being in stored in a bit counter that is converted to/from hexadecimal and the combined value of the different flags will not traditionally be identical based on certain criteria.

Am I missing an easy way to search for if a user's account is modified and the specific value which is listed as 0x40000 is removed or added to an account to flag on? Possibly a function of the existing TAs that I don't know about?

Thanks!

Labels (1)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
a month ago

Could you explain why a value stored in a bit counter would be a sore subject?  I do not know how many bits are in userAccountControl, but if you can tell which bit represents use of smartcard-based auth, you can always calculate whether that bit is modified.  For example,

| eval smartCardBit = tonumber(userAccountControl, 16)
  % pow(2, smartCardBitPos - 1)

Here, smartCardBitPos is 1-base from LSB.

If your instance is 9.2 or above, there are also a set of Bitwise functions.

Reply

PickleRick
SplunkTrust
SplunkTrust
a month ago

I would say that the core of this question was "easy" 😉

I don't suppose browsing through all AD users and calculating particular bit state is a very effective method. I think that's the main issue here.

And honestly, I don't see a good solution here. One could try storing that one as an indexed field but the or push it into some form of accelerated datamode but even having this stored in a quickly-available data set doesn't mean that you can just use it straightforwardly in a search. The only possibly effective way to tackle finding users with given bit set or not set would be to do some form of tstats values to get a set of existing values, filter them out by the state of the bit and only search for specific values - all this assuming that there is a relatively small set of those UAC field values.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...