I’ve started playing arrond with Loki and Windows security logs. What I’m looking for is a way to show locked out user accounts in a dashboard. All the info I need is in the linetext, but I can’t figure out a way to clean up or extract the info.
Logline looks like this:
{“source”:“Microsoft-Windows-Security-Auditing”,“channel”:“Security”,“computer”:“server.name”,“event_id”:4740,“task”:13824,“levelText”:“Information”,“taskText”:“User Account Management”,“opCodeText”:“Info”,“keywords”:“Audit Success”,“timeCreated”:“2023-03-31T09:32:49.109963600Z”,“eventRecordID”:15976100448,“execution”:{“processId”:624,“threadId”:3872,“processName”:“lsass.exe”},“event_data”:“\u003cData Name=‘TargetUserName’\u003e"USERNAME”\u003c/Data\u003e\u003cData Name=‘TargetDomainName’\u003e"COMPUTERNAME"\u003c/Data\u003e\u003cData Name=‘TargetSid’\u003e"SID"\u003c/Data\u003e\u003cData Name=‘SubjectUserSid’\u003e"SUS"\u003c/Data\u003e\u003cData Name=‘SubjectUserName’\u003e"SERVER"$\u003c/Data\u003e\u003cData Name=‘SubjectDomainName’\u003e"DOMAIN"\u003c/Data\u003e\u003cData Name=‘SubjectLogonId’\u003e0x3e7\u003c/Data\u003e",“message”:“A user account was locked out.\r\n\r\nSubject:\r\n\tSecurity ID:\t\t"SUS”\r\n\tAccount Name:\t\t"SERVER"$\r\n\tAccount Domain:\t\t"DOMAIN"\r\n\tLogon ID:\t\t0x3E7\r\n\r\nAccount That Was Locked Out:\r\n\tSecurity ID:\t\t"SID"\r\n\tAccount Name:\t\t"USERNAME"\r\n\r\nAdditional Information:\r\n\tCaller Computer Name:\t"COMPUTER"}
All I need is time, username and caller computername. If I could get this info in a table, I would be very happy (for a while).