Splunk Search

How to filter the subject account name in the event log below as those other than admin?

realkazanova1
Loves-to-Learn

I want to filter the Subject Account Name in the Event log below as those other than Admin. So I want to see the cases where this log appears outside of the Admin. How can I do it ?

 

 

11/29/2022 12:23:16 PM
LogName=Security
EventCode=4738
EventType=0
ComputerName=dc.windomain.local
SourceName=Microsoft Windows security auditing.
Type=Information
RecordNumber=247213
Keywords=Audit Success
TaskCategory=User Account Management
OpCode=Info
Message=A user account was changed.

Subject:
	Security ID:		S-1-5-21-4236582264-665789389-1555517817-1000
	Account Name:		Admin
	Account Domain:		WINDOMAIN
	Logon ID:		0x59B44

Target Account:
	Security ID:		S-1-5-21-4236582264-665789389-1555517817-1324
	Account Name:		aleda.billye
	Account Domain:		WINDOMAIN

 

 

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @realkazanova1,

you have to run a simple search like this:

index=wineventlog EventCode=4738 Account_name!="admin"

put attention if you have the Account_name field or another one.

If you don't have the correct field extractions, you have to install in your Search Head the Splunk_TA_Windows Add-on (https://splunkbase.splunk.com/app/742) to correctly parse your data.

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...