Greetings all,
I am currently using a simple Splunk query to return all changes to a user account.
sourcetype=WinEventLog:Security EventCode=4738 Account_Name=USERNAME
An idea for an alert came to me and I have been having some issues getting it to work. How would I go about modifying this query to return only those entries where the source and target usernames are the same ?
The purpose of this is to alert me when anyone makes changes to their own accounts in AD.
Thanks in advance all !
You'd need to refresh my mind on the actual field names of source user and target user for these particular events, but the basic principle would be:
sourcetype=WinEventLog:Security EventCode=4738 | where source_user = target_user
You'd need to refresh my mind on the actual field names of source user and target user for these particular events, but the basic principle would be:
sourcetype=WinEventLog:Security EventCode=4738 | where source_user = target_user
This is where I am stuck.
I have been trying to find the field names for the data but the way Splunk sees the event is below. I know it's impossible but the source and target seem to be the same.
Subject:
Security ID: DOMAIN\USERNAME
Account Name: USERNAME
Account Domain: DOMAIN
Logon ID: VALUE
Target Account:
Security ID: DOMAIN\USERNAME
Account Name: USERNAME
Account Domain: DOMAIN
Ah, yeah, the joy of those plain text windows events and their non-unique field names that get mapped to multi-valued fields in Splunk.
So in that case Account_Name is multi-valued, right? Just split it using mvindex
:
sourcetype=WinEventLog:Security EventCode=4738
| eval source_user = mvindex(Account_Name,0)
| eval target_user = mvindex(Account_Name,1)
| where source_user = target_user
But actually Splunk TA Windows already maps those 2 user names to src_user
and user
for CIM compatibility. So you should simply be able to do | where src_user = user
.
Both of your recommendations worked for me.
Thank you Frank.