topic Re: Trigger Password Reset alarm by Admin by Distinct count of targets in Splunk Search

How to Trigger Password Reset alarm by Admin by Distinct count of targets?

mdicenzo — Mon, 11 Sep 2023 16:23:02 GMT

I want to essentially trigger an alarm if a user changes the password of multiple distinct user accounts within a given period of time.

I was able to start with the search below, which provides me a count of distinct user account change grouped by the source user.

When I try to apply a threshold logic to it, it doesn't appear to work.

source="WinEventLog:Security" (EventCode=628 OR EventCode=627 OR EventCode=4723 OR EventCode=4724)
| stats count(Target_Account_Name) by Subject_Account_Name

Re: Trigger Password Reset alarm by Admin by Distinct count of targets

yuanliu — Wed, 06 Sep 2023 20:54:03 GMT

You need to tell volunteers what "doesn't work" means. This is a phrase to be avoided in the best of scenarios.

This said, if Target_Account_Name and Subject_Account_Name are both available in raw events, maybe you are looking for distinct_count (aka dc) instead of count? Something like

source="WinEventLog:Security" EventCode IN (628, 627, 4723, 4724) | stats dc(Target_Account_Name) by Subject_Account_Name

Hope this helps.

Re: Trigger Password Reset alarm by Admin by Distinct count of targets

mdicenzo — Fri, 08 Sep 2023 14:14:16 GMT

Hello,

Thanks for the feedback. I will be more specific next time. I wasn’t aware of the dc (distinct count) option in search.

In the example you provided, how would I alert in which the dc has a count of over 5?

Thank You

Re: Trigger Password Reset alarm by Admin by Distinct count of targets

PickleRick — Fri, 08 Sep 2023 17:06:32 GMT

1. i'd check the TA windows for eventtype. There might be one already defined covering your event codes and your search would be more concise.

2. What do you mean by "does not work"?

Re: Trigger Password Reset alarm by Admin by Distinct count of targets

yuanliu — Fri, 08 Sep 2023 22:06:21 GMT

dc outputs a number. Just use it in a logical expression, like

source="WinEventLog:Security" EventCode IN (628, 627, 4723, 4724) | stats values(Target_Account_Name) dc(Target_Account_Name) by Subject_Account_Name | where 'dc(Target_Account_Name)' > 5

Or more customarily,

source="WinEventLog:Security" EventCode IN (628, 627, 4723, 4724) | stats values(Target_Account_Name) as Target_Account_Name dc(Target_Account_Name) as Target_Account_Count by Subject_Account_Name | where Target_Account_Count > 5

Alternatively, you do not need to use dc. You can perform mvcount on aggregate Target_Account_Name to give more concise output.

source="WinEventLog:Security" EventCode IN (628, 627, 4723, 4724) | stats values(Target_Account_Name) as Target_Account_Name by Subject_Account_Name | where mvcount(Target_Account_Name) > 5

Re: Trigger Password Reset alarm by Admin by Distinct count of targets

mdicenzo — Mon, 11 Sep 2023 14:38:05 GMT

Thanks for the feedback. This worked for me!

Re: Trigger Password Reset alarm by Admin by Distinct count of targets

yuanliu — Tue, 12 Sep 2023 01:24:12 GMT

If the problem is solved, please select the answer and close. Karma for all that helped advance the solution is also appreciated.