Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to generate an alert when a user logs in for the first time

bgagliardi1
Path Finder
‎05-07-2018 11:56 AM

Is there a way to generate 1 alert for the first time a user logs into something?

I've been thinking through this all morning and came up with a potential way to go about it - I've done my search and sorted by _time so that the first event is at the top, and remove all other "duplicate" events specific to the email(username) field. If someone knows how to generate 1, and only 1, alert per unique event specific to the raw data that could potentially work too.

index=myindex “actor.email”=* “events{}.name”=login_success | bucket _time span=1d | iplocation ipAddress | stats count by _time,“actor.email”,“events{}.name”,ipAddress,City,Region,Country | where count=1 | sort _time | dedup actor.email

I recognize that the bucket _time is useless in this case ;).

Thanks,

BG

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎05-07-2018 04:55 PM

One way to do this is to run an all-time search (the bin assumes you want to thereafter run it every hour)...

index=foo search that gets all user logons
| stats min(_time) as mintime by userfield
| bin _time as reporttime span=1h
| outputlookup append=f mylookup.csv

Then every hour you run something like this...

earliest=-1h@h latest=@h index=foo (your search that gets logons)
| bin _time as reporttime span=1h
| stats min(_time) as mintime min(reporttime) as reporttime by userfield
| inputlookup append=t  mylookup.csv
| stats min(mintime) as mintime min(reporttime) as reporttime by userfield
| outputlookup append=f mylookup.csv

| rename COMMENT as "now we find which ones were new.  They will have rounded down to be equal to the earliest parameter"
| addinfo
| where reporttime = info_min_time

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎05-07-2018 04:55 PM

One way to do this is to run an all-time search (the bin assumes you want to thereafter run it every hour)...

index=foo search that gets all user logons
| stats min(_time) as mintime by userfield
| bin _time as reporttime span=1h
| outputlookup append=f mylookup.csv

Then every hour you run something like this...

earliest=-1h@h latest=@h index=foo (your search that gets logons)
| bin _time as reporttime span=1h
| stats min(_time) as mintime min(reporttime) as reporttime by userfield
| inputlookup append=t  mylookup.csv
| stats min(mintime) as mintime min(reporttime) as reporttime by userfield
| outputlookup append=f mylookup.csv

| rename COMMENT as "now we find which ones were new.  They will have rounded down to be equal to the earliest parameter"
| addinfo
| where reporttime = info_min_time
0 Karma
Reply
Solved! Jump to solution

jconger
Splunk Employee
Splunk Employee
‎05-07-2018 03:47 PM

Check out the Splunk Security Essentials app (this is a free app). There are a lot of great examples in there including "First Time Seen Searches". From the documentation:

"First time analysis detects the first time that an action is performed. This helps you identify out of the ordinary behavior that could indicate suspicious or malicious activity. For example, service accounts typically log in to the same set of servers. If a service account logs into a new device one day, or logs in interactively, that new behavior could indicate malicious activity."

0 Karma
Reply
Solved! Jump to solution

xpac
SplunkTrust
SplunkTrust
‎05-07-2018 12:26 PM

Well, I think I would generate a lookup, and write all users to that lookup. You could then later, run another search every X minutes over the last X minutes to fetch all users from that time, do the lookup on them, and then create an alert for every user that was not in that lookup before.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...