I am trying to test on a single host and this search may be completely wrong and would appreciate any assistance as I am just starting to use Splunk.
I am trying to capture any local accounts created or added to the local Administrators group on one host.
This gets me what I need, which is the Time(when), hostname ,who created but the Security_ID field is lumping all into one .. I need a column with just the Hostname\LocalAccountName or just LocalAccountName
Security_ID is including the SAmAccountname that created the account, the local account name and BUILTIN\Administrators all in one.
This is what I am searching, any help will be appreciated.
MyHostName EventCode=4732 OR EventCode=4720 | table _time, HostName, src_user, Security_ID, EventCode,
The example log you posted is the exact that I see , I tested your example below but it made no difference .. is that how I would search ?
MyHostName EventCode=4732 OR EventCode=4720 | table _time, HostName, src_user, Security_ID, EventCode |eval group_sid=mvindex('SecurityID',2)
that was it , I modified it a bit and got the
I modified ('SecurityID',2) to ('Security_ID',1)
MyHostName EventCode=4732 OR EventCode=4720 | eval group_sid=mvindex('Security_ID',1) | table _time, HostName, src_user,group_sid
Your problem I think, is that SecurityID is a multivalue field.
If you want to extract these into individual fields you would use "mvindex":
|eval subject_sid=mvindex('SecurityID',0) |eval member_sid=mvindex('SecurityID',1) |eval group_sid=mvindex('SecurityID',2)