topic Re: Search for users who have triggered multiple Windows Event Codes in Getting Data In

Search for users who have triggered multiple Windows Event Codes

trevorQmulos — Tue, 30 Aug 2016 20:13:05 GMT

I am looking for a way to show users who have matched three separate Windows Security Event Codes

IE user X has (EventCode 1 AND EventCode 2 AND EventCode 3) OR ( EventCode 4 AND EventCode 5 AND EventCode 6)-> output the three event codes + username to a table.

When I try to just use AND between EventCode, it looks for both of the EventCode numbers in the single field and doesn't find any of the results.

Re: Search for users who have triggered multiple Windows Event Codes

sundareshr — Tue, 30 Aug 2016 20:22:55 GMT

Try this

index=eventlogs (EventCode=1 OR EventCode=2 OR EventCode=3 OR EventCode=4 OR  EventCode=5 OR EventCode=6 | eval grp=if(EventCode=1 OR EventCode=2 OR EventCode=3, "Grp1", "Grp2") | chart values(EventCode) as ec by user grp | where (mvfilter(grp1, "1")>=0 AND mvfilter(grp1, "2")>=0 AND mvfilter(grp1, "3")>=0) OR (mvfilter(grp2, "4")>=0 AND mvfilter(grp2, "5")>=0 AND mvfilter(grp2, "6")>=0)

Re: Search for users who have triggered multiple Windows Event Codes

jstoner_splunk — Tue, 30 Aug 2016 20:40:19 GMT

You could do it this way:

sourcetype=wineventlog* |stats values(EventCode) by ComputerName |rename values(EventCode) AS eventCodeList |search (eventCodeList=1002 AND eventCodeList=1004 AND eventCodeList=1006)

Basically I am pulling the values in the EventCode and grouping by ComputerName, I rename that field and then I do a subsearch for those 3 values in my initial result set. Depending on what you want the final result to look like, you may want to think about time frame, sequence of event codes and if you want to narrow your initial search to a smaller event code population to streamline the initial search. That said, hopefully this gets you on your way.