Splunk Enterprise Security

Event ID 4738 - How to alert when source user and target user are the same ?

fzuazo
Path Finder

Greetings all,

I am currently using a simple Splunk query to return all changes to a user account.

sourcetype=WinEventLog:Security EventCode=4738 Account_Name=USERNAME

An idea for an alert came to me and I have been having some issues getting it to work. How would I go about modifying this query to return only those entries where the source and target usernames are the same ?

The purpose of this is to alert me when anyone makes changes to their own accounts in AD.

Thanks in advance all !

0 Karma
1 Solution

FrankVl
Ultra Champion

You'd need to refresh my mind on the actual field names of source user and target user for these particular events, but the basic principle would be:

sourcetype=WinEventLog:Security EventCode=4738 | where source_user = target_user

View solution in original post

0 Karma

FrankVl
Ultra Champion

You'd need to refresh my mind on the actual field names of source user and target user for these particular events, but the basic principle would be:

sourcetype=WinEventLog:Security EventCode=4738 | where source_user = target_user
0 Karma

fzuazo
Path Finder

This is where I am stuck.

I have been trying to find the field names for the data but the way Splunk sees the event is below. I know it's impossible but the source and target seem to be the same.

Subject:
Security ID: DOMAIN\USERNAME
Account Name: USERNAME
Account Domain: DOMAIN
Logon ID: VALUE

Target Account:
Security ID: DOMAIN\USERNAME
Account Name: USERNAME
Account Domain: DOMAIN

0 Karma

FrankVl
Ultra Champion

Ah, yeah, the joy of those plain text windows events and their non-unique field names that get mapped to multi-valued fields in Splunk.

So in that case Account_Name is multi-valued, right? Just split it using mvindex:

 sourcetype=WinEventLog:Security EventCode=4738
| eval source_user = mvindex(Account_Name,0)
| eval target_user = mvindex(Account_Name,1)
| where source_user = target_user

But actually Splunk TA Windows already maps those 2 user names to src_user and user for CIM compatibility. So you should simply be able to do | where src_user = user.

fzuazo
Path Finder

Both of your recommendations worked for me.

Thank you Frank.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...