<span class="pill kill-chain">_time</span>
<span class="pill kill-chain">ActivityID</span>
<span class="pill kill-chain">Caller_Domain</span>
<span class="pill kill-chain">Caller_User_Name</span>
<span class="pill kill-chain">CategoryString</span>
<span class="pill kill-chain">Channel</span>
<span class="pill kill-chain">Computer</span>
<span class="pill kill-chain">Error_Code</span>
<span class="pill kill-chain">EventCode</span>
<span class="pill kill-chain">EventData_Xml</span>
<span class="pill kill-chain">EventID</span>
<span class="pill kill-chain">EventRecordID</span>
<span class="pill kill-chain">Guid</span>
<span class="pill kill-chain">Keywords</span>
<span class="pill kill-chain">Level</span>
<span class="pill kill-chain">Logon_ID</span>
<span class="pill kill-chain">Name</span>
<span class="pill kill-chain">Opcode</span>
<span class="pill kill-chain">ProcessID</span>
<span class="pill kill-chain">RecordNumber</span>
<span class="pill kill-chain">Source_Workstation</span>
<span class="pill kill-chain">Status</span>
<span class="pill kill-chain">SubjectDomainName</span>
<span class="pill kill-chain">SubjectLogonId</span>
<span class="pill kill-chain">SubjectUserName</span>
<span class="pill kill-chain">SubjectUserSid</span>
<span class="pill kill-chain">SystemTime</span>
<span class="pill kill-chain">System_Props_Xml</span>
<span class="pill kill-chain">Task</span>
<span class="pill kill-chain">ThreadID</span>
<span class="pill kill-chain">Version</span>
<span class="pill kill-chain">Workstation</span>
<span class="pill kill-chain">action</span>
<span class="pill kill-chain">app</span>
<span class="pill kill-chain">date_hour</span>
<span class="pill kill-chain">date_mday</span>
<span class="pill kill-chain">date_minute</span>
<span class="pill kill-chain">date_month</span>
<span class="pill kill-chain">date_second</span>
<span class="pill kill-chain">date_wday</span>
<span class="pill kill-chain">date_year</span>
<span class="pill kill-chain">date_zone</span>
<span class="pill kill-chain">dest</span>
<span class="pill kill-chain">dvc</span>
<span class="pill kill-chain">dvc_nt_host</span>
<span class="pill kill-chain">event_id</span>
<span class="pill kill-chain">eventtype</span>
<span class="pill kill-chain">host</span>
<span class="pill kill-chain">id</span>
<span class="pill kill-chain">index</span>
<span class="pill kill-chain">linecount</span>
<span class="pill kill-chain">name</span>
<span class="pill kill-chain">product</span>
<span class="pill kill-chain">punct</span>
<span class="pill kill-chain">session_id</span>
<span class="pill kill-chain">signature</span>
<span class="pill kill-chain">signature_id</span>
<span class="pill kill-chain">source</span>
<span class="pill kill-chain">sourcetype</span>
<span class="pill kill-chain">splunk_server</span>
<span class="pill kill-chain">src</span>
<span class="pill kill-chain">src_nt_domain</span>
<span class="pill kill-chain">src_nt_host</span>
<span class="pill kill-chain">src_user</span>
<span class="pill kill-chain">status</span>
<span class="pill kill-chain">subject</span>
<span class="pill kill-chain">ta_windows_action</span>
<span class="pill kill-chain">ta_windows_security_CategoryString</span>
<span class="pill kill-chain">ta_windows_status</span>
<span class="pill kill-chain">tag</span>
<span class="pill kill-chain">tag::action</span>
<span class="pill kill-chain">tag::eventtype</span>
<span class="pill kill-chain">timeendpos</span>
<span class="pill kill-chain">timestartpos</span>
<span class="pill kill-chain">vendor</span>
<span class="pill kill-chain">vendor_product</span>
</div>
Data Source: Windows Event Log Security 4794
Description
Logs attempts to set the Directory Services Restore Mode (DSRM) administrator password, including details about the account name and the user performing the action.
Details
Property | Value |
---|---|
Source | XmlWinEventLog:Security |
Sourcetype | xmlwineventlog |
Separator | EventCode |
Supported Apps
- Splunk Add-on for Microsoft Windows (version 9.0.1)
Event Fields
Example Log
1<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4794</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2022-08-23T04:24:05.064689300Z'/><EventRecordID>821077</EventRecordID><Correlation ActivityID='{4EC0CCF2-B67B-0004-F8CC-C04E7BB6D801}'/><Execution ProcessID='612' ThreadID='4120'/><Channel>Security</Channel><Computer>win-dc-root-17044-552.attackrange.local</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data Name='SubjectUserName'>Administrator</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x959c5</Data><Data Name='Workstation'>[fe80::b907:7694:d740:91bb]</Data><Data Name='Status'>0x0</Data></EventData></Event>
Source: GitHub | Version: 2