topic Re: Bulk System Deletion Creating a Unified Search Query. in Splunk Search

How to create Bulk System Deletion Creating a Unified Search Query?

AL3Z — Wed, 23 Aug 2023 07:10:49 GMT

Hello,

I'm trying to create a search to identify instances of bulk system deletions that took place within a one-minute time frame, and describe a method to consolidate all these results into a single search query.

Thanks

Re: Bulk System Deletion Creating a Unified Search Query.

ITWhisperer — Wed, 02 Aug 2023 14:16:08 GMT

Are you just looking for certain events in your logs with various criteria?

If so, perhaps you could share some anonymised events that you are dealing with?

Re: How to create Bulk System Deletion Creating a Unified Search Query?

AL3Z — Wed, 23 Aug 2023 07:11:30 GMT

Re: Bulk System Deletion Creating a Unified Search Query.

ITWhisperer — Wed, 02 Aug 2023 15:01:43 GMT

Not sure what you have posted here - is your event from <event> to </event> and the rest trying to show what fields you have already extracted (complete with field values running into the next field name)?

Please repost in a codeblock (using the </> button to create a block to paste the event into).

Re: Bulk System Deletion Creating a Unified Search Query.

AL3Z — Wed, 02 Aug 2023 16:52:27 GMT

@ITWhisperer Yeah, These are all the events respective to there event codes.
Do we need to have the all the event codes in the single event ?
OR its fine to have the all in the individual events ?

Re: Bulk System Deletion Creating a Unified Search Query.

ITWhisperer — Wed, 02 Aug 2023 16:57:11 GMT

Single events are fine - I assume _time has already been set to the event creation time or whatever you need it to be? Or do you need help extracting the event id and time?

Assuming you have the values already extracted, are you just looking for a way to determine if 100 (or more) events (of a particular type) have occurred in the same minute, or somehow determine, for each event, whether 99 of the same event type have occurred in the previous 60 seconds?

Re: Bulk System Deletion Creating a Unified Search Query.

AL3Z — Wed, 02 Aug 2023 17:45:43 GMT

@ITWhisperer ,
I have just posted a single event from each of the specific eventcode events.
I need help in creating a correlation search for above scenario like when ever any Ad machines deleted from the AD environment for 100 events in a minute the alert should triggered like wise user account deletion and ad machine disabled for 100 events in a minute, and when user added to group it should trigger an alert.
I am looking for a way to determine if 100 (or more) events (of a particular type) have occurred in the same minute.

Thanks

Re: Bulk System Deletion Creating a Unified Search Query.

ITWhisperer — Wed, 02 Aug 2023 17:49:24 GMT

| bin _time span=1m | stats count by _time eventID

Re: Bulk System Deletion Creating a Unified Search Query.

AL3Z — Wed, 02 Aug 2023 17:58:51 GMT

Can we make a single search using all these Eventcodes ?

Re: Bulk System Deletion Creating a Unified Search Query.

ITWhisperer — Wed, 02 Aug 2023 18:02:32 GMT

Yes, because the stats is by time and eventId you will get a line for each event type for each minute some events occurred in - you just have to filter by event type and relevant count

| where (eventID="4743" AND count >= 100) OR (eventID= ...) etc.

Re: Bulk System Deletion Creating a Unified Search Query.

AL3Z — Thu, 03 Aug 2023 12:55:40 GMT

@ITWhisperer

Hi,

this

| bin _time span=1m
| stats count by _time eventID

is not working as expected if I go with the last 30 days it is showing results why so ?
then what is the use of bin _time span=1m.

Re: Bulk System Deletion Creating a Unified Search Query.

ITWhisperer — Thu, 03 Aug 2023 13:04:12 GMT

I am not sure I understand the question - your requirement was for counts in the last minute, why are you now talking about 30 days? Are you running the search over the last 30 days? That is an awful lot of minutes!

Re: Bulk System Deletion Creating a Unified Search Query.

AL3Z — Thu, 03 Aug 2023 13:17:05 GMT

I opted for a 30-day trial to see if there were any noticeable outcomes. As I dnt see any alerts for the last 30 days!

Re: Bulk System Deletion Creating a Unified Search Query.

AL3Z — Mon, 07 Aug 2023 09:09:25 GMT

Hi, @ITWhisperer

How do we enhance this search as per the use case ..

index=xyz sourcetype=X ((EventCode=4743 AND NOT TargetUserName="Win") OR (EventCode=4726 AND NOT TargetUserName="EC") OR (EventCode=4725 AND (NOT TargetUserName="WinDi" OR TargetUserName="EC_GMS")) OR (EventCode=4728 AND NOT TargetUserName="None") ) | stats count, values(signature) as event_detail, values(TargetUserName) as target_name by Computer, EventCode | where count > 1 AND EventCode=4728 | bin _time span=1m | where count >= 100

Thanks

Re: Bulk System Deletion Creating a Unified Search Query.

ITWhisperer — Thu, 03 Aug 2023 13:48:37 GMT

Are you sure there should have been any? How about if you reduced it to 10 in a minute?

Re: Bulk System Deletion Creating a Unified Search Query.

ITWhisperer — Thu, 03 Aug 2023 13:51:38 GMT

index=xyz sourcetype=X ((EventCode=4743 AND NOT TargetUserName="Win") OR (EventCode=4726 AND NOT TargetUserName="EC") OR (EventCode=4725 AND (NOT TargetUserName="WinDi" OR TargetUserName="EC_GMS")) OR (EventCode=4728 AND NOT TargetUserName="None") ) | bin _time span=1m | stats count, values(signature) as event_detail, values(TargetUserName) as target_name by _time, Computer, EventCode | where (count > 1 AND EventCode=4728) OR count >= 100

Re: Bulk System Deletion Creating a Unified Search Query.

AL3Z — Thu, 03 Aug 2023 14:32:23 GMT

Yes there should be!

I have made a changes to search now I can see the alerts
thanks....

Re: Bulk System Deletion Creating a Unified Search Query.

AL3Z — Mon, 07 Aug 2023 09:10:45 GMT

@ITWhisperer ,

Hi,

In order to find out if and when a member was added to a security group,I have done a search for EventCode=4728. The search returned the following:

08/02/2023 01:10:24 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4728 EventType=0 Type=Information ComputerName=server1.domainname.com TaskCategory=Security Group Management OpCode=Info RecordNumber=5551234 Keywords=Audit Success Message=A member was added to a security-enabled global group. Subject: Security ID: domainname\jdoe Account Name: jdoe Account Domain: domainname Logon ID: 0x1e3ef1d1 Member: Security ID: domainname\jdoe Account Name: CN=John Doe,OU=My Users OU,DC=domainname,DC=com Group: Security ID: domainname\Test Users Group Name: Test Users Group Domain: domainname Additional Information: Privileges: -

Once I viewed this information I changed my search to look like this:

EventCode=4727 |rename Account_Name as Modifier | rename Group_Name as "Modified Group" |table _time, Host, Modifier, "Modified Group", user

My problem is that I don't know how to deal with the two account names when I display the information in a table. The Modifier displays the right information which is the first account name. I would like user to display the information from "Account Name: CN=John Doe,OU=My Users OU,DC=domainname,DC=com" and label it as "Member Added" as that is the member that was added to the Test Users group name.

Re: Bulk System Deletion Creating a Unified Search Query.

ITWhisperer — Mon, 07 Aug 2023 09:46:49 GMT

One way to do this (assuming your raw events are the XML event you showed earlier) is to create the appropriate eval commands and execute them with map - it should be noted that map has a limit to the number of searches to prevent excessive resource usage.

| spath Event.EventData.Data output=EventData | spath Event.EventData.Data{@Name} output=EventDataName | eval name_value=mvzip(EventDataName,EventData,"=\"") | eval name_value=mvmap(name_value,"| eval ".name_value."\"") | eval name_value=mvjoin(mvappend("| makeresults | eval _raw=\""._raw."\"",name_value)," ") | map maxsearches=100 search="| makeresults | map search="$name_value$

Re: How to create Bulk System Deletion Creating a Unified Search Query?

AL3Z — Wed, 23 Aug 2023 07:12:23 GMT

...