Who rated this post

aspatil · ‎10-08-2024

Thanks for reaching out on LiveCommunity!

Below query will help with more information:

preset = xdr_event_log
// Parse the user that is provisioning the account
| alter provisioning_sid = arrayindex(regextract(action_evtlog_message ,"Security ID:\t+(.*)\r\n"),0)
| alter provisioning_account_name = arrayindex(regextract(action_evtlog_message ,"Account Name:\t+(.*)\r\n"),0)
| alter provisioning_account_domain = arrayindex(regextract(action_evtlog_message ,"Account Domain:\t+(.*)\r\n"),0)
// Parse the new users account info
| alter new_sid = arrayindex(regextract(action_evtlog_message ,"Security ID:\t+(.*)\r\n"),1)
| alter account_name = arrayindex(regextract(action_evtlog_message ,"New Account:(?:[^\n]*\n){2}(?:[^\n]Account Name:\t+(.*))"),0)
// Parse the group attributes
| alter group_sid = arrayindex(regextract(action_evtlog_message ,"Security ID:\t+(.*)\r\n"),2)
| alter group_name = arrayindex(regextract(action_evtlog_message ,"Group Name:\t+(.*)\r\n"),0)
| alter group_domain = arrayindex(regextract(action_evtlog_message ,"Group Domain:\t+(.*)\r\n"),0)
// Get all events and dedup
| filter action_evtlog_event_id = 4720 OR action_evtlog_event_id = 4732 or action_evtlog_event_id = 4726 or action_evtlog_event_id = 4730
| dedup agent_hostname, action_evtlog_event_id, group_name, new_sid
// remove all machine accounts being created
| filter account_name not contains "$"
// make everything look pretty grouped on host
| fields _time, agent_hostname, agent_ip_addresses, action_evtlog_description, action_evtlog_event_id, action_evtlog_message, provisioning_sid, provisioning_account_name, provisioning_account_domain, new_sid, account_name, group_sid, group_name, group_domain
| transaction _time, agent_hostname, agent_ip_addresses, action_evtlog_description, action_evtlog_event_id, action_evtlog_message, provisioning_sid, provisioning_account_name, provisioning_account_domain, new_sid, account_name, group_sid, group_name, group_domain span=180m
| comp values(action_evtlog_event_id) as EventID, values(provisioning_sid) as provisioning_sid, values(provisioning_account_name) as provisioning_account_name, values(provisioning_account_domain) as provisioning_account_domain, values(new_sid) as new_sid, values(account_name) as new_account_name, values(group_sid) as group_sid, values(group_name) as group_name, values(group_domain) as group_domain, count() as logs_per_host_provisioned by agent_hostname

If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you.

Regards,

Ashutosh

Ashutosh Patil

View solution in original post

Unlock your full community experience!

Who rated this post