My goal is to alert when a domain admin logs into a device on our network. We have the proper auditing turned on for our Windows servers and I am putting Event Log tests on all our domain controllers.
My test properly picks up the event I am looking for (4624) and it does properly bring back when the description contains one of my domain admin usernames using "Account Name: xxxxxx".
I am using the Slack notification to send to the channel but the text when going to slack removes the CRLF and the NTEventUser is showing up blank.
My alert
Code: Select all
############################################
:face_vomiting: :rotating_light: [%hostaddr%] :face_vomiting: :rotating_light:
############################################
%TestName%
Event Source: %NTEventSource%
Event Time: %NTEventTime%
Event Name: %NTEventTypeName%
Event User: %NTEventUser%
Method: %TestMethod%
Date: %DateTime%
Status: %Status%
Recurr: %Recurrences%
Agent: %Agent%
Path: %FullPath%
############################################
Code: Select all
############################################
:face_vomiting: :rotating_light: [localhost] :face_vomiting: :rotating_light:
############################################
SRVXXX1 - [10.0.0.1] - [NT Events log] - [DA Logon - 4624]
Event Source: Microsoft-Windows-Security-Auditing
Event Time: 1/21/2021 9:01:32 AM
Event Number: 8
Event Name: Success audit
Event User: -
Method: check NT Event Log
Date: 1/21/2021 3:01:43 PM
Status: Bad
Recurr: 1
Agent: SRVXXX1
Path: Root\COMPANY\Servers\Virtual\SRVXXX1\
############################################
Code: Select all
2021-01-21 14:34:22 Local7.Debug 10.224.8.11 2021-01-21 08:34:21 SRVXXX1 AUDIT_SUCCESS 4624 An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: SRVXXX1$
Account Domain: COMPANY
Logon ID: 0x333
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-2222222222-2222222222-1935222222222213326-2222
Account Name: myusername
Account Domain: COMPANY
Logon ID: 0x22222222222
Linked Logon ID: 0x22222222222
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
If there is another way in achieving this where i can simply return the user account that was trying to login, I am all ears. I was trying to potentially alter the Reply results with just the Account Name but figured after some reading that I couldn't do that based on how that was intended to work.