NTEventUser - Domain Admin Login Help

[paulnus]

Hello,
My goal is to alert when a domain admin logs into a device on our network. We have the proper auditing turned on for our Windows servers and I am putting Event Log tests on all our domain controllers.

My test properly picks up the event I am looking for (4624) and it does properly bring back when the description contains one of my domain admin usernames using "Account Name: xxxxxx".

I am using the Slack notification to send to the channel but the text when going to slack removes the CRLF and the NTEventUser is showing up blank.

My alert

Code: Select all

############################################
:face_vomiting: :rotating_light: [%hostaddr%] :face_vomiting: :rotating_light:
############################################
%TestName%
Event Source: %NTEventSource%
Event Time: %NTEventTime%
Event Name: %NTEventTypeName%
Event User:	%NTEventUser%
Method: %TestMethod%
Date: %DateTime%
Status: %Status%
Recurr: %Recurrences%
Agent: %Agent%
Path: %FullPath%
############################################

Results:

Code: Select all

############################################
:face_vomiting: :rotating_light: [localhost] :face_vomiting: :rotating_light:
############################################
SRVXXX1 - [10.0.0.1] - [NT Events log] - [DA Logon - 4624]
Event Source: Microsoft-Windows-Security-Auditing
Event Time: 1/21/2021 9:01:32 AM
Event Number: 8
Event Name: Success audit
Event User: -
Method: check NT Event Log
Date: 1/21/2021 3:01:43 PM
Status: Bad
Recurr: 1
Agent: SRVXXX1
Path: Root\COMPANY\Servers\Virtual\SRVXXX1\
############################################

Here is part of the 4624 event log:

Code: Select all

2021-01-21 14:34:22	Local7.Debug	10.224.8.11	2021-01-21 08:34:21 SRVXXX1 AUDIT_SUCCESS 4624 An account was successfully logged on.

Subject:
	Security ID:		S-1-5-18
	Account Name:		SRVXXX1$
	Account Domain:		COMPANY
	Logon ID:		0x333

Logon Information:
	Logon Type:		2
	Restricted Admin Mode:	-
	Virtual Account:		No
	Elevated Token:		No

Impersonation Level:		Impersonation

New Logon:
	Security ID:		S-1-5-21-2222222222-2222222222-1935222222222213326-2222
	Account Name:		myusername
	Account Domain:		COMPANY
	Logon ID:		0x22222222222
	Linked Logon ID:		0x22222222222
	Network Account Name:	-
	Network Account Domain:	-
	Logon GUID:		{00000000-0000-0000-0000-000000000000}

My question would be as it relates to the %NTEventUser% variable if it's pullilng the "Account Name" or what piece of information it key's off of during this process? Am i looking at the wrong log or a log where that will not work?


If there is another way in achieving this where i can simply return the user account that was trying to login, I am all ears. I was trying to potentially alter the Reply results with just the Account Name but figured after some reading that I couldn't do that based on how that was intended to work.

[KS-Soft]

Windows version on HostMonitor and remote system?
HostMonitor version?

I think %NTEventUser% is empty because there is no such data in the event record. Does Windows Event Viewer shows "User: N/A" for this event?
While "Account Name: myusername" is part of event text, %NTEventText% can be used to retrieve event message.

Regards
Alex

[paulnus]

I was worried that "Account Name" would not be the key field it would be looking for. The "User: N/A" is not part of the returned event results.

Windows on HM: Microsoft Windows Server 2019 Datacenter
HM Version: v12.56

Windows on DC: Microsoft Windows Server 2019 Standard
RMA Version: v7.31

I was going down the road of using "Tune up Reply" to getword but i really need the getword to accept 3 arguments (%NTEventText%, "Account:", 1) --> The first word after "Account:" in the %NTEventText%. I realize now, that getword doesn't actually work that way.

[KS-Soft]

I was worried that "Account Name" would not be the key field it would be looking for. The "User: N/A" is not part of the returned event results.

Sorry, I do not understand what do you mean
What means Key field? HostMonitor checks events using filter you set for the test, like event ID, event type, some text string(s).
If you set filter using "Description contains any string from the list: Account Name" then HostMonitor will check for "Account Name" string within event text.
This does not mean HostMonitor will show you just account name, this means HostMonitor will detect such event as "bad" and trigger status change and start actions assigned to the test.

While "User: N/A" related to parameter of the event. Its not part of event text, its special event field.
Your complain regarding %NTEventUser% is showing up blank, that's why I ask to check event parameters. Probably HostMonitor works correctly, there is no UserID specified for this event.

i really need the getword to accept 3 arguments (%NTEventText%, "Account:", 1) --> The first word after "Account:" in the %NTEventText%

There is no such option.
May be we can add "GetLineWithText" operator - find line with specific text and return entire line.
So you will be able to use some expression like
"%NTEventText%" GetLineWithText "Account Name:" getword 3

Regards
Alex

[KS-Soft]

On the other hand HostMonitor offers indexof and substr functions.
If you need 1 word after "Account Name:", you may use "TuneUp Reply value" option with expression like
[substr("%NTEventText%", indexof("%NTEventText%","Account Name:"), 100) getword 3]

Then just use %Reply% as parameter of the action

Regards
Alex

[paulnus]

No problem, I was explaining it dumb.

What i was saying was that I was thinking the %NTEventUser% was something special that would be trying to extract usernames. I'm not in the logs enough to know that "User:" is a common field.

Great, i'll try to just return the line. That will suit my needs great.

[paulnus]

Worked!

I had to use "New Logon:" since the "Account Name:" appeared multiple times and grabbed the first one which is not what i wanted.

Code: Select all

[substr("%NTEventText%", indexof("%NTEventText%","New Logon:"), 100) getword 8]