How to filter the subject account name in the even...

realkazanova1 · ‎11-29-2022

I want to filter the Subject Account Name in the Event log below as those other than Admin. So I want to see the cases where this log appears outside of the Admin. How can I do it ?

11/29/2022 12:23:16 PM
LogName=Security
EventCode=4738
EventType=0
ComputerName=dc.windomain.local
SourceName=Microsoft Windows security auditing.
Type=Information
RecordNumber=247213
Keywords=Audit Success
TaskCategory=User Account Management
OpCode=Info
Message=A user account was changed.

Subject:
	Security ID:		S-1-5-21-4236582264-665789389-1555517817-1000
	Account Name:		Admin
	Account Domain:		WINDOMAIN
	Logon ID:		0x59B44

Target Account:
	Security ID:		S-1-5-21-4236582264-665789389-1555517817-1324
	Account Name:		aleda.billye
	Account Domain:		WINDOMAIN

gcusello · ‎11-29-2022

Hi @realkazanova1,

you have to run a simple search like this:

index=wineventlog EventCode=4738 Account_name!="admin"

put attention if you have the Account_name field or another one.

If you don't have the correct field extractions, you have to install in your Search Head the Splunk_TA_Windows Add-on (https://splunkbase.splunk.com/app/742) to correctly parse your data.

Ciao.

Giuseppe

How to filter the subject account name in the event log below as those other than admin?

other

subsearch

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?