This is the current query, but it's not really providing the needed data for the search.
index=main sourcetype=XmlWinEventLog EventCode=4624 Logon_Type=3
| transaction src maxspan=10m maxpause=2m
| stats dc(dest) as Dest_Count, values(dest) as Target_Systems by src
| search Dest_Count >35
| sort - Dest_Count
I really don't care about the Dest_Count >35 it was and attempt to gather something to start with. I was told to research the transaction command to obtain the required results.
The transaction command may help, but not with those options.
| transaction src maxspan=10m maxpause=2m
says to combine events with the same value in the src field and to close the transaction after 10 minutes or if there is a gap of at least 2 minutes between events. That doesn't meet the requirements as I understand them. Perhaps this will get you closer:
index=main sourcetype=XmlWinEventLog EventCode=4624 Logon_Type=3
| transaction src maxspan=2m
| where eventcount > 10
| sort - eventcount
Be warned that transaction is an inefficient command. A faster method uses streamstats (adapted from https://community.splunk.com/t5/Splunk-Search/Multiple-Login-Failure-Attempts/td-p/325933)
index=main sourcetype=XmlWinEventLog EventCode=4624 Logon_Type=3
| streamstats time_window=2m dc(dest) AS Dest_Count BY src
| where Dest_Count >= 10
| sort - Dest_Count
How would I combine this output to look similar to this, as and example . I may have selected the wrong options, but the requirements are still the same.
SRC(Source System) Dest_count Target_Systems
Host123 5 Hosta
Hostb
Hostc
Hostd
Hoste
Hoste
Try this. The stats command does the grouping you seek.
index=main sourcetype=XmlWinEventLog EventCode=4624 Logon_Type=3
| streamstats time_window=2m dc(dest) AS Dest_Count BY src
| where Dest_Count >= 10
| stats values(Dest_Count) as Dest_Count, values(dest) as Target_Systems by src
| sort - Dest_Count
Thanks for your response,
The required results is to determine if a system singe system was logging into multiple systems within a time period. If system credentials were compromised they may be logging into multiple systems within a time span. I understand event 4624 is a legitimate log, but it may indicate a possible issue if logging from the same system into multiple devices. I really don't need the | where Dest_Count >35. I need to know for example within 2 minutes if 10 successful logins from the same system. That's why I was attempting to use the | transaction src maxspan=10m maxpause=2m. I hope that clears up the requirements.
Thanks for your response,
The required results is to determine if a system singe system was logging into multiple systems within a time period. If system credentials were compromised they may be logging into multiple systems within a time span. I understand event 4624 is a legitimate log, but it may indicate a possible issue if logging from the same system into multiple devices. I really don't need the | where Dest_Count >35. I need to know for example within 2 minutes if 10 successful logins from the same system. That's why I was attempting to use the | transaction src maxspan=10m maxpause=2m. I hope that clears up the requirements.
It would help if you said what the required results are, but I think the transaction command is not needed. Try this query, which assumes the dest and src fields already exist.
index=main sourcetype=XmlWinEventLog EventCode=4624 Logon_Type=3
| stats dc(dest) as Dest_Count, values(dest) as Target_Systems by src
| where Dest_Count >35
| sort - Dest_Count