https://community.splunk.com/t5/Splunk-Search/Anomaly-detection-in-Splunk/m-p/575577#M200563 <P class="">Hi all,</P><P class="">I am new to Splunk and have been trying to work on a use case to detect anomalous switches from one type of account to another.</P><P class=""><STRONG>Index A</STRONG>: Has the list of switches i.e. has two columns: 'Old account', 'New account'.<BR /><STRONG>Index B</STRONG>: Has the *type* of accounts. It has two columns: 'Accounts', 'Account_types'.</P><P class="">Till now, using commands like join (after renaming certain columns), I have been able to get to a point where I have a<SPAN>&nbsp;</SPAN><STRONG>table of 4 columns, 'Old account', 'Old_account_type', New account', 'New_account_type'.</STRONG></P><P class=""><STRONG>Aim</STRONG>:<BR />I need to implement logic to detect if old accounts switch to 'unusual' new accounts**.**</P><P class=""><STRONG>Idea so far</STRONG>:<BR />I wish to create a dictionary of some sort where there is a list of new accounts and new_account_type(s) an old account has switched to. And then, if the old account switches to an account not in this dictionary, I wish to flag it up. Does this sound like a logical idea?</P><P class="">For example, if looking at past 4 switches, if an old account named A of the type 'admin', switches to new accounts named 1, 2, 3, 4 of type admin, user, admin, admin, then the dictionary should look like<BR />A_switches = {<BR />"Old Account": "A",<BR />"old_account_type":"admin",<BR />"New Account": [1 , 2 , 3, 4],<BR />"type": [admin, user]<BR />}</P><P class="">This query needs to be run each hour to flag up unusual switches. Can someone suggest how I can implement the above logic i.e. create a dictionary and spot unusual activity?</P><P class="">Apologies for the long question and if something isn't clear.</P> Fri, 19 Nov 2021 01:47:39 GMT axm1295 2021-11-19T01:47:39Z https://community.splunk.com/t5/Splunk-Search/Anomaly-detection-in-Splunk/m-p/575577#M200563 <P class="">Hi all,</P><P class="">I am new to Splunk and have been trying to work on a use case to detect anomalous switches from one type of account to another.</P><P class=""><STRONG>Index A</STRONG>: Has the list of switches i.e. has two columns: 'Old account', 'New account'.<BR /><STRONG>Index B</STRONG>: Has the *type* of accounts. It has two columns: 'Accounts', 'Account_types'.</P><P class="">Till now, using commands like join (after renaming certain columns), I have been able to get to a point where I have a<SPAN>&nbsp;</SPAN><STRONG>table of 4 columns, 'Old account', 'Old_account_type', New account', 'New_account_type'.</STRONG></P><P class=""><STRONG>Aim</STRONG>:<BR />I need to implement logic to detect if old accounts switch to 'unusual' new accounts**.**</P><P class=""><STRONG>Idea so far</STRONG>:<BR />I wish to create a dictionary of some sort where there is a list of new accounts and new_account_type(s) an old account has switched to. And then, if the old account switches to an account not in this dictionary, I wish to flag it up. Does this sound like a logical idea?</P><P class="">For example, if looking at past 4 switches, if an old account named A of the type 'admin', switches to new accounts named 1, 2, 3, 4 of type admin, user, admin, admin, then the dictionary should look like<BR />A_switches = {<BR />"Old Account": "A",<BR />"old_account_type":"admin",<BR />"New Account": [1 , 2 , 3, 4],<BR />"type": [admin, user]<BR />}</P><P class="">This query needs to be run each hour to flag up unusual switches. Can someone suggest how I can implement the above logic i.e. create a dictionary and spot unusual activity?</P><P class="">Apologies for the long question and if something isn't clear.</P> Fri, 19 Nov 2021 01:47:39 GMT https://community.splunk.com/t5/Splunk-Search/Anomaly-detection-in-Splunk/m-p/575577#M200563 axm1295 2021-11-19T01:47:39Z https://community.splunk.com/t5/Splunk-Search/Anomaly-detection-in-Splunk/m-p/575600#M200578 <P>Would this gather the information you need?</P><LI-CODE lang="markup">| stats values(new_account) as new_accounts values(new_account_type) as new_account_types by old_account old_account_type</LI-CODE> Fri, 19 Nov 2021 08:53:22 GMT https://community.splunk.com/t5/Splunk-Search/Anomaly-detection-in-Splunk/m-p/575600#M200578 ITWhisperer 2021-11-19T08:53:22Z https://community.splunk.com/t5/Splunk-Search/Anomaly-detection-in-Splunk/m-p/575607#M200581 <P>Before tackling the question of anomaly, I made the following simulations in order to clarify premises. &nbsp;Please let me know if my understanding of the problem is correct:&nbsp;indexA is a regular audit log that contains an ID that cannot be changed, account names associated with each ID that can change over time; each of these account names have an associated type that is stored in indexB; only the latest association is valid. &nbsp;Hence,</P><P>&nbsp;</P><LI-CODE lang="markup">``` simulation of indexA ``` | makeresults | eval inc = mvrange(0, 4) | mvexpand inc | eval _time=_time + inc*3600 | eval index = "index1", id = "userA", account = case(inc==0, "john", inc==1, "jeff", inc==2, "joe", inc==3, "jack”) | fields - inc</LI-CODE><P>&nbsp;</P><DIV class=""><DIV class="">&nbsp;</DIV></DIV><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><TABLE><TBODY><TR><TD>_time</TD><TD>account</TD><TD>id</TD><TD>index</TD></TR><TR><TD>2021-11-19 00:27:02</TD><TD>john</TD><TD>userX</TD><TD>indexA</TD></TR><TR><TD>2021-11-19 01:27:02</TD><TD>jeff</TD><TD>userX</TD><TD>indexA</TD></TR><TR><TD>2021-11-19 02:27:02</TD><TD>joe</TD><TD>userX</TD><TD>indexA</TD></TR><TR><TD>2021-11-19 03:27:02</TD><TD>jack</TD><TD>userX</TD><TD>indexA</TD></TR></TBODY></TABLE><P>Note &nbsp;the above depicts progression of a single ID userX over a period of 4 hours.</P></DIV></DIV></DIV></DIV></DIV></DIV><P>&nbsp;</P><LI-CODE lang="markup">``` simulation of indexB ``` | makeresults | eval john="admin", jack="user", jeff="user", joe="robot", jim="admin" | stats values(j*) as j* | transpose | eval _time = now(), index = "indexB" | rename column as account, "row 1" as type</LI-CODE><P>&nbsp;</P><TABLE><TBODY><TR><TD>account</TD><TD>type</TD><TD>_time</TD><TD>index</TD></TR><TR><TD>jack</TD><TD>user</TD><TD>2021-11-19 00:32:27</TD><TD>indexB</TD></TR><TR><TD>jeff</TD><TD>user</TD><TD>2021-11-19 00:32:27</TD><TD>indexB</TD></TR><TR><TD>jim</TD><TD>admin</TD><TD>2021-11-19 00:32:27</TD><TD>indexB</TD></TR><TR><TD>joe</TD><TD>robot</TD><TD>2021-11-19 00:32:27</TD><TD>indexB</TD></TR><TR><TD>john</TD><TD>admin</TD><TD>2021-11-19 00:32:27</TD><TD>indexB</TD></TR></TBODY></TABLE><P>The above depicts the latest snapshot of the account table, therefore a single timestamp.</P><P>If the two assumptions look correct, I can think of two ways to combine the data, based on the labels you put in the question. &nbsp;First is KV lookup: you can dump the latest account table from indexB into a lookup table, then use lookup to associate accounts in indexA with types.</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval john="admin", jack="user", jeff="user", joe="robot", jim="admin" | stats values(j*) as j* | transpose | eval _time = now(), index = "index2" | rename column as account, "row 1" as type ``` dump latest snapshot of indexB into lookup ``` | dedup account type | fields - _time | outputlookup accounttype.csv</LI-CODE><P>&nbsp;</P><P>Then, use this lookup in indexA</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval inc = mvrange(0, 4) | mvexpand inc | eval _time=_time + inc*3600 | eval index = "index1", id = "userA", account = case(inc==0, "john", inc==1, "jeff", inc==2, "joe", inc==3, "jack”) | fields - inc ``` lookup accounttype.csv ``` | lookup accounttype.csv account</LI-CODE><P>&nbsp;</P><P>This method requires the lookup table to be maintained up to date. &nbsp;This can be a disadvantage.</P><P>Meanwhile, since you are also considering <U>join</U>, let me illustrate a different method, <U>append</U>, which is less expensive. (Many thanks to bowesmana who recently reminded me of this trick.)</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults ``` simulate index1``` | eval inc = mvrange(0, 4) | mvexpand inc | eval _time=_time + inc*3600 | eval index = "indexA", id = "userX", account = case(inc==0, "john", inc==1, "jeff", inc==2, "joe", inc==3, "jack") | fields - inc ``` less expensive than join ``` | append [ ``` simulat index2 ``` | makeresults | eval john="admin", jack="user", jeff="user", joe="robot", jim="admin" | stats values(j*) as j* | transpose | eval _time = now(), index = "indexB" | rename column as account, "row 1" as type ``` only use latest, not interested in _time in indexB ``` | dedup account type | fields - _time] ``` associate account type with account ``` | fields - index | stats values(*) as * values(_time) as _time by account | where isnotnull(id) ``` only necessary in this simulation ``` | sort _time</LI-CODE><P>&nbsp;</P><P>This gives you</P><TABLE><TBODY><TR><TD>account</TD><TD>id</TD><TD>type</TD><TD>_time</TD></TR><TR><TD>john</TD><TD>userX</TD><TD>admin</TD><TD>2021-11-19 01:07:50</TD></TR><TR><TD>jeff</TD><TD>userX</TD><TD>user</TD><TD>2021-11-19 02:07:50</TD></TR><TR><TD>joe</TD><TD>userX</TD><TD>robot</TD><TD>2021-11-19 03:07:50</TD></TR><TR><TD>jack</TD><TD>userX</TD><TD>user</TD><TD>2021-11-19 04:07:50</TD></TR></TBODY></TABLE><P>With simulated data, userX's earliest account:type is john:admin, then it becomes jeff:user, then joe:user, and as of late, jack:user; in account type alone, the progression is admin-&gt;user-&gt;robot-user.</P><P>Note I added a filter "| where isnotnull(id)" because account jim in indexB is not associated with userX, making a funny display in the end result. &nbsp;In the real world, an account is always associated with an id, the funny display should not happen.</P><P>Also, wildcard "values(*) as *" &nbsp;does not work on _time, hence "values(_time) as _time" is necessary.</P> Fri, 19 Nov 2021 09:32:13 GMT https://community.splunk.com/t5/Splunk-Search/Anomaly-detection-in-Splunk/m-p/575607#M200581 yuanliu 2021-11-19T09:32:13Z