Splunk Search

How to get the target Account Name from WinEventLog:Security

rune_hellem
Contributor

This is an example of an event for EventCode=4726. As you see there are two account name fields which the Splunk App parses as ... two account names

 

 

11/19/2023 01:00:38 PM
LogName=Security
EventCode=4726
EventType=0
ComputerName=dc.acme.com
SourceName=Microsoft Windows security auditing.
Type=Information
RecordNumber=1539804373
Keywords=Audit Success
TaskCategory=User Account Management
OpCode=Info
Message=A user account was deleted.

Subject:
	Security ID:		Acme\ScriptRobot
	Account Name:		ScriptRobot
	Account Domain:		Acme
	Logon ID:		0x997B8B20

Target Account:
	Security ID:		S-1-5-21-329068152-1767777339-1801674531-65826
	Account Name:		aml
	Account Domain:		Acme

Additional Information:
	Privileges	-

 

 

I want to search for all events with Subject:Account Name = ScriptRobot and then list all Target Account: Account Name. Knowing that multiline regex can be a bit cumbersome - tried the following search string, but it does not work

 

 

index="wineventlog" EventCode=4726 | rex "Subject Account Name:\s+Account Name:\s+(?<SubjectAccount>[^\s]+).*\s+Target Account:\s+Account Name:\s+(?<TargetAccount>[^\s]+)"

 

 

 

Labels (2)
0 Karma

yuanliu
SplunkTrust
SplunkTrust

If Splunk already extracted two Account Names, wouldn't it be simpler to call the first value and second value different names?

index="wineventlog" EventCode=4726
| eval SubjectAccountName = mvindex('Account Name', 0)
| eval TargetAccountName = mvindex('Account Name', 1)

Also, I remember that some says Windows events can come in as JSON.  If you have structured data, you don't need to worry about these at all.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...