30 Dec 2024 10:50 AM - last edited on 31 Dec 2024 07:14 AM by MaciejNeumann
Hello,
I'm having trouble with my DPL analysis, I would like to obtain these lines only:
(In Account That Was Locked Out)
Security ID:
Account Name:
(In Additional Information)
Caller Computer Name:
Here is the content of the log:
A user account was locked out.
Subject:
Security ID: Example1
Account Name: Example2$
Account Domain: Example3
Logon ID: Example4
Account That Was Locked Out:
Security ID: Example5
Account Name: Example6
Additional Information:
Caller Computer Name: Example7
Thanks in advance
Solved! Go to Solution.
30 Dec 2024 03:54 PM - edited 30 Dec 2024 03:55 PM
I managed to solve the problem, if that helps some people.
In DPL Architect :
DATA "Account That Was Locked Out:" SPACE "Security ID:" LD:Security_ID EOL SPACE "Account Name:" LD:Account_Name EOL SPACE "Additional Information:" SPACE "Caller Computer Name:" LD:Caller_Computer_Name
In DQL :
fetch logs
| filter matchesValue(winlog.eventid, "4740")
| parse content, """DATA "Account That Was Locked Out:" SPACE "Security ID:" LD:Security_ID EOL SPACE "Account Name:" LD:Account_Name EOL SPACE "Additional Information:" SPACE "Caller Computer Name:" LD:Caller_Computer_Name"""
| fields Security_ID, Account_Name, Caller_Computer_Name