Windows security daily domain activities

sourcetype=WinEventLog:Security src_nt_domain!="NT AUTHORITY" EventCode=4720 OR EventCode=4726 OR EventCode=4738 OR EventCode=4767 OR EventCode=4781 OR EventCode=4727 OR EventCode=4730 OR EventCode=4731 OR EventCode=4734 OR EventCode=4735 OR EventCode=4737 OR EventCode=4744 OR EventCode=4745 OR EventCode=4748 OR EventCode=4749 OR EventCode=4750 OR EventCode=4753 OR EventCode=4754 OR EventCode=4755 OR EventCode=4758 OR EventCode=4759 OR EventCode=4760 OR EventCode=4763 OR EventCode=4764 OR EventCode=4728 OR EventCode=4729 OR EventCode=4732 OR EventCode=4733 OR EventCode=4746 OR EventCode=4747 OR EventCode=4751 OR EventCode=4752 OR EventCode=4756 OR EventCode=4757 OR EventCode=4761 OR EventCode=4762
| rex field=member_id "^\w+\W(?<ITS_Admin>\w*\s\w*\s\w*|\w+_\w+|\w*\s\w*|\w*)(\s\w+\W|\s)(?<Target_Account>.*\S)"
| eval Target_Account=if(Target_Account="NONE_MAPPED", trim(member_dn, ITS_Admin), Target_Account)
| table _time, EventCode, EventCodeDescription, src_nt_domain, ITS_Admin, Target_Account,src_nt_domain,msad_action,Group_Name
| sort EventCodeDescription,ITS_Admin, Target_Account
| rename ITS_Admin as "ITS Admin", src_nt_domain as "Source Domain"
Share This:


  1. Jeff


    “ITS_Admin” is a value pulled via regex from the line:

    | rex field=member_id “^\w+\W(?\w*\s\w*\s\w*|\w+_\w+|\w*\s\w*|\w*)(\s\w+\W|\s)(?.*\S)”

    To test what the regex is pulling from your Windows events go to and post the regex (minus the quotes) “^\w+\W(?\w*\s\w*\s\w*|\w+_\w+|\w*\s\w*|\w*)(\s\w+\W|\s)(?.*\S)” into the REGULAR EXPRESSION field and post your event into the TEST STRING field. On the right hand side in MATCH INFORMATION will be the values from the regex

Leave A Comment?