Splunk Search

How to separate data from Security_ID field when capturing local accounts created/added to the local admin group?

papa
Explorer

Hello,

I am trying to test on a single host and this search may be completely wrong and would appreciate any assistance as I am just starting to use Splunk.

I am trying to capture any local accounts created or added to the local Administrators group on one host.

This gets me what I need, which is the Time(when), hostname ,who created but the Security_ID field is lumping all into one .. I need a column with just the Hostname\LocalAccountName or just LocalAccountName

Security_ID is including the SAmAccountname that created the account, the local account name and BUILTIN\Administrators all in one.

This is what I am searching, any help will be appreciated.

MyHostName EventCode=4732 OR EventCode=4720 | table _time, HostName, src_user, Security_ID, EventCode,
Labels (2)
0 Karma
1 Solution

marycordova
SplunkTrust
SplunkTrust

MyHostName EventCode=4732 OR EventCode=4720
| eval group_sid=mvindex('SecurityID',2)
| table _time, HostName, src_user, group_sid, EventCode

View solution in original post

papa
Explorer

Hi Marcy

The example log you posted is the exact that I see , I tested your example below but it made no difference .. is that how I would search ?

 

 

MyHostName EventCode=4732 OR EventCode=4720 | table _time, HostName, src_user, Security_ID, EventCode
|eval group_sid=mvindex('SecurityID',2)

 

0 Karma

marycordova
SplunkTrust
SplunkTrust

MyHostName EventCode=4732 OR EventCode=4720
| eval group_sid=mvindex('SecurityID',2)
| table _time, HostName, src_user, group_sid, EventCode

View solution in original post

papa
Explorer

that was it , I modified it a bit and got the 

I modified ('SecurityID',2) to ('Security_ID',1)

MyHostName EventCode=4732 OR EventCode=4720
| eval group_sid=mvindex('Security_ID',1)
| table _time, HostName, src_user,group_sid

 

marycordova
SplunkTrust
SplunkTrust

Your problem I think, is that SecurityID is a multivalue field.  

For reference: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4732

marycordova_1-1599883111253.png

If you want to extract these into individual fields you would use "mvindex":

 

|eval subject_sid=mvindex('SecurityID',0)
|eval member_sid=mvindex('SecurityID',1)
|eval group_sid=mvindex('SecurityID',2)

 

https://docs.splunk.com/Documentation/Splunk/8.0.5/SearchReference/MultivalueEvalFunctions#mvindex.2...

0 Karma

marycordova
SplunkTrust
SplunkTrust
Can you post a screen cap or sample of your log event?
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!