Splunk Search
Highlighted

How to extract Target Account Name or Subject Account Name Security ID field from Windows Security Log?

New Member

I'm searching on Windows Security Auditing logs and the SecurityID field but when I do, I'm realizing that there is a section for Subject and Target Account. I want to be able to extract each into its own unique field so I can search on one or the other. Here's a sample event log. Right now, both account1 and account2 would be in a field called SecurityID and I need to split the two. Thanks!

LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4738
EventType=0
Type=Information
ComputerName=server.domain.com
TaskCategory=User Account Management
OpCode=Info
RecordNumber=00000000
Keywords=Audit Success
Message=A user account was changed.

    Subject:
        Security ID:        DOMAIN\account_1
        Account Name:       account_1
        Account Domain:     DOMAIN
        Logon ID:       0000000

    Target Account:
        Security ID:        DOMAIN\account_2
        Account Name:       account_2
        Account Domain:     DOMAIN
0 Karma
Highlighted

Re: How to extract Target Account Name or Subject Account Name Security ID field from Windows Security Log?

Legend

Hi erictodor,
you have to use a multi line regex, something like this:

(?ms)Target Account:.*Security ID:\s+(?<Security_ID>[^ ]*)

you can test it at https://regex101.com/r/ZGJi2D/1

Bye.
Giuseppe

View solution in original post

Highlighted

Re: How to extract Target Account Name or Subject Account Name Security ID field from Windows Security Log?

Explorer

|eval name1=mvindex(AccountName,0)
|eval name2=mvindex(Account
Name,1)