topic Re: Search for events in sequence over time in Splunk Search

Search for events in sequence over time

RunNateRun — Mon, 02 May 2016 19:48:46 GMT

I am attempting to create a search to alert on when a previously disabled employee is re-enabled. Currently, my search is as follows:

index=* EventCode=4738 sourcetype="WinEventLog:Security" New_UAC_Value="0x10" | join type=inner [search earliest=-3m@d latest=now index=* sourcetype="WinEventLog:Security" EventCode=4725] | table _time,user,src_user,Old_UAC_Value,New_UAC_Value,EventCode

The first search identifies accounts that have been re-enabled. While this is half the battle, it also includes accounts that are being created or modified in some way. The second search (after the join) identifies disabled accounts. What I need to identify in my search are those accounts that in sometime in the past were disabled, and this more recently re-enabled.

Joining these two searches in the manner above does not produce what I expect it to.

I greatly appreciate any help provided.

Re: Search for events in sequence over time

sundareshr — Mon, 02 May 2016 21:39:05 GMT

How about something like this (this is untested code, so please edit as appropriate)

index=* sourcetype="WinEventLog:Security" EventCode=4738  OR EventCode=4725  | stats latest(eval(if(EventCode=4738 AND New_UAC_Value="0x10", _time, null()))) as E4738 latest(eval(if(EventCode=4725, _time, null()))) as E4725 by Account_Name | where E4738>E4725 | foreach E* [eval <<FIELD>>=strftime(<<FIELD>>, "%m/%d/%Y %H:%M:%S")]

You could also try with EventCode 4722 (account enabled)

Re: Search for events in sequence over time

MuS — Mon, 02 May 2016 22:10:11 GMT

A stats search which replaces a join is most likely to be the better approach 😉

Re: Search for events in sequence over time

RunNateRun — Tue, 03 May 2016 15:25:01 GMT

Modified this to capture removal from the security-enabled global group (Event code 4729) instead of 4725. Code worked perfectly.

Thank you Sundareshr!