Splunk Search

Splunk Query For Admin Who Unlocked Account

New Member

Hello All,

I created a query that looks for event 4767 (A user account was unlocked) and it returns the date/time of the event, the Administrator (Account_Name) who unlocked the account and the user who's account was unlocked. The problem is that it also lists the user's account under the "who unlocked the user" column. I think the query is pulling that information from the Target Account --> Account Name field. How do I exclude that from my results?

Here is my query:

index="wineventlog" EventCode=4767 user=$users$ | stats count by _time, Account_Name, user | fields - count | sort - _time
0 Karma
1 Solution

Path Finder

Your answer is in the already extracted fields.

index="wineventlog" EventCode=4767 user=$users$ | stats count by _time, src_user, user | fields - count | sort - _time

View solution in original post

0 Karma

Path Finder

Your answer is in the already extracted fields.

index="wineventlog" EventCode=4767 user=$users$ | stats count by _time, src_user, user | fields - count | sort - _time

View solution in original post

0 Karma

New Member

That worked! Thank you soooo much. You ROCK!

0 Karma

Influencer

can you share some sample events?

0 Karma

New Member

Are you asking for the results after I run my query? I am not sure what you mean by sample events. Can you clarify your question?

0 Karma

Influencer

the data on which you are performing search

0 Karma

New Member

Sure. Here you go:

5/13/19
3:50:35.000 PM

05/13/2019 03:50:35 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4767
EventType=0
Type=Information
ComputerName=LANS4SVTYLER.LANS.com
TaskCategory=User Account Management
OpCode=Info
RecordNumber=975672981
Keywords=Audit Success
Message=A user account was unlocked.

Subject:
Security ID: S-1-5-21-424224527-328161685-9522986-24256
Account Name: mjordan
Account Domain: LANS
Logon ID: 0x6e15262c

Target Account:
Security ID: S-1-5-21-424224527-328161685-9522986-42914
Account Name: jcarter
Account Domain: LANS
Collapse
host = LANS4SVTYLER source = WinEventLog:Security sourcetype = WinEventLog:Security src_user = mjordan user = jcarter

0 Karma

New Member

I am a newbie to splunk and have no idea how to apply regex to my query. Can you help me?

0 Karma

Influencer

you will have to apply some regex to get the Account Name fields for user(based on target account name) and Admin (based on Subject Account Name)

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!