WEC - Event 4732 not showing Account Name on... Expand / Collapse
Author
Message
Posted 9/10/2017 3:58:41 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 10/26/2017 11:41:53 AM
Posts: 2, Visits: 2
Hi,
I just configured WEC (Source Initiated). I configured for the Account Management and Security Group Management. When I create a local account on a source computer it shows the account that is created. However, when I add the local account to a local group on the source computer, it generates the event 4732 with the account name shown correctly, but when I receive it on the Event Collector, i get the account name as -. I noticed this is the same for when I remove the local account from the group also.

Any idea how I can fix this?

Thanks,
TGBoy
Post #7407
Posted 10/9/2017 4:00:59 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 4/6/2016 3:55:29 AM
Posts: 2, Visits: 0
Hi, same question.
Event Collector - Windows Server 2012 R2
Post #7416
Posted 10/13/2017 9:32:24 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Administrators
Last Login: 4/13/2009 5:07:47 PM
Posts: 7, Visits: 0
According to Microsoft this is by design. See the explanation of the description fields on this event: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4732

It says there:
Account Name [Type = UnicodeString]: distinguished name of account that was added to the group. For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For local groups this field typically has “-“ value, even if new member is a domain account. For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”.

If you are using a SIEM (I believe that Splunk extracts this data) you can probably setup a correlation rule to populate this data.
Post #7418
Posted 10/25/2017 8:19:22 AM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 186, Visits: 0
If the event is changing from the source computer to the destination collector then I would put in a ticket with MS. You still have the SID to use for investigation purposes and local group additions/removals shouldn't happen that much unless it is for well known processes and in those cases the SID can be whitelisted.

I speculate that the account name field is populated using the SID and the destination computer may not be able to perform this translation if the account is a local account on the source.
Post #7420
Posted 10/26/2017 11:55:48 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 10/26/2017 11:41:53 AM
Posts: 2, Visits: 2
Hi,

The problem is that we need to then go back to the endpoint to find the actual user ID which then requires us to have administrator privileges to read the security log of that endpoints.

Truth be told it is currently an hassle as we have many activities happening across our 1500 + endpoints but we are unable to follow up on the same since we cannot have admin access on all systems and we end up leaving the events.
In one instance the account was deleted and the same event could not resolve the user, since I believe it does resolve the SID at the time we read that event and if the user is not longer present on the system it returns only the SID.

I get an event log like below for adding to the group and removing from the group

A member was added to a security-enabled local group.

Subject:
Security ID:
ComputerX\Admin
Account Name:
Admin
Account Domain:
ComputerX
Logon ID:
0x5F44B142

Member:
Security ID:
ComputerX\sfsdfdsf
Account Name:
-

Group:
Security ID:
BUILTIN\Administrators
Group Name:
Administrators
Group Domain:
Builtin

Additional Information:
Privileges:
-
On the Event Collector computer (source initiated WEC), when I receive this log, I am getting the above entry like below
A member was added to a security-enabled local group.

Subject:
Security ID:
ComputerX\Admin
Account Name:
Admin
Account Domain:
ComputerX
Logon ID:
0x5F44B142

Member:
Security ID:
S-1-5-21-1703328512-1423390700-918956169-1024
Account Name:
-

Group:
Security ID:
BUILTIN\Administrators
Group Name:
Administrators
Group Domain:
Builtin

Additional Information:
Privileges:
-
As shown, the Security ID which contains the user name in human readable format is now replaced by the SID of the username when the Collector computer receives it. This is also the same for when the user is removed from the group.
Post #7421
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 7:55am