topic What does connected do in transaction command in Splunk Search

What does connected do in transaction command

mohammadsharukh — Wed, 20 Sep 2023 06:32:06 GMT

I am working to create a use case to detect account created and deleted within short period of time

Could you please give a simple example how connected true/false will affect results of transaction command.

I already referred previous answer but didnt understand the explanation.

Addionally also explain what is the affect of connected=true/false in the below query and also what is the best practice.

sourcetype=wineventlog (EventCode=4726 OR EventCode=4720) | transaction user maxspan=240m startswith="EventCode=4720" endswith="EventCode=4726" connected=false| table Time, dest, EventCode, user, src_user, Account_Domain

@Ledion_Bitincka

@richgalloway

Re: What does connected do in transaction command

gcusello — Wed, 20 Sep 2023 06:44:57 GMT

Hi @mohammadsharukh,

if I correctly remember, there's a sample of a shourt living account in the Splunk Security Essential App, that I hint.

Anyway, don't use the transaction command because it's very slow, please try this search:

sourcetype=wineventlog (EventCode=4726 OR EventCode=4720) | stats earliest(eval(EventCode=4720)) AS earliest latest(eval(EventCode=4726)) AS latest values(dest) AS dest values(src_user) AS src_user values(Account_Domain) AS Account_Domain BY user | eval diff=latest-earliest, creation_time=strftime(earliest,"%Y-%m-%d %H:%M:%S"), deletion_time=strftime(latest,"%Y-%m-%d %H:%M:%S") | where diff<240*60 | table creation_time deletion_time dest EventCode user src_user Account_Domain

Ciao.

Giuseppe