topic Re: Creating Indirect / Cascading Search in Alerting

Creating Indirect / Cascading Search

dscoland — Mon, 28 Sep 2020 16:54:06 GMT

Hi Splunk Community,

I have, I would hope to be, a simple question.

Our company has always monitored domain account lockouts, but recently we wanted to take it a bit further, and monitor IIS logs for potential lockouts attempted to authenticate against our Exchange CAS servers.

Therefore, our main real-time search script is as such:

index!=_audit EventCode=4740 | table _time, EventCodeDescription, Account_Name, Security_ID, Account_Domain, Caller_Computer_Name, | eval _time=strftime(_time, "%H:%M:%S %m-%d-%y") | fields - _raw | rename _time AS When?, Message AS Who?_Where?

I had an idea that, instead of going through the hassle of associating fields between WinEventLog:Security and iis to figure out why someone would get locked out on our CAS server, it would be more efficient to generate a report of the past 10minutes (give or take 3minutes haven't decided on that), for sc_win32_status=1326 (bad username or password from iis).

Script below:

My goal would be to generate this IIS report when the Caller_Computer_Name is equal to the name of one of our CAS servers when the EventCode=4740 alert is thrown.

Is there a way to achieve this?

Thank you in advance,
Daniel

Re: Creating Indirect / Cascading Search

dscoland — Tue, 24 Jun 2014 12:45:47 GMT

Is this possible with using the Python SDK?

Re: Creating Indirect / Cascading Search

somesoni2 — Tue, 24 Jun 2014 12:56:49 GMT

Name of CAS servers will be a static value?

Re: Creating Indirect / Cascading Search

dscoland — Tue, 24 Jun 2014 12:58:34 GMT

There will be multiple CAS servers, but all of them will have a static name.

Re: Creating Indirect / Cascading Search

somesoni2 — Tue, 24 Jun 2014 13:17:27 GMT

You can look at the 'map' command using which you can run a search based on the search result of another search.
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Map

Its should be basically something like this

index!=_audit EventCode=4740 Caller_Computer_Name="YourCASServerName"| stats count | where count > 0 | map [search sourcetype="iis" sc_win32_status=1326 | eval username=lower(cs_username) | fillnull | stats count by username, cs_uri_stem, cs_User_Agent | where count>1 AND count<6 | sort by count desc]

Re: Creating Indirect / Cascading Search

dscoland — Tue, 24 Jun 2014 13:33:00 GMT

Wow, dude. I didn't know that the map command was there. Does that mean you can ma multiple searchs, or just one?

Re: Creating Indirect / Cascading Search

somesoni2 — Tue, 24 Jun 2014 13:45:19 GMT

Its basically for each search result in base search, you can run the subsearch specified in map command (that's why I used stats to limit base search results to 1). You can't map multiple searches directly but there are workarounds.

Re: Creating Indirect / Cascading Search

dscoland — Tue, 24 Jun 2014 13:53:15 GMT

It looks like this can't be run as a real-time alert because it will alert every time that there is a match in the subsearch. Is that a bug?