Alerting

how to limit events returned at the same time based on the field "logon_type"

massumtaqi
New Member

I am trying to limit the events returned or number of alerts triggered at the same time or within 5 seconds if the filed "logon_type" shows same in all events.

I want to check that condition if that meets , i.e Logon_Type="!7" within 5 seconds, trigger the alert once regardless of however many kicks in. So, For example, If the logon type is 3 then only one event should show.

0 Karma

massumtaqi
New Member

EventCode=4624
| rex "(?ms)Logon Type:...(?\w+)"
| rex "(?ms)New Logon:\s+Security ID:..(?[AEW]+.\w+.\w+)"
| where Logon_Type="3" AND (Logon_Type!="10" OR Logon_Type!="2")
| where (like (Login_Security_ID,"%mtaqi.a%"))
| where Logon_GUID!="{00000000-0000-0000-0000-000000000000}"

It shows multiple events with login type 3 when i rdp into a server . i want to limit that to 1. How can i do that?

0 Karma

Sukisen1981
Champion

Have you thought about doing it through a single alert? For example , say logon type 3 occurs 2 times during a 5 second interval and log on type 4 occurs once within the same 5 second interval, your single alert should contain a result with column header (say logon_type) with 2 row entries 1 each for types 3 and 4.
Without looking at your alert search it could be something like this - |where Logon_Type !="7" | dedup Logon_Type| table _time,Logon_Type

0 Karma

massumtaqi
New Member

IT works thanks however, i keep getting one email of logon type 3 every few minutes (not constant , 10 min , 20 min) while i am rdp into the server and not doing anything just logged in basically. how do i stop that concurrent emails as i need one email only when i use my login credential initially. Thanks again!

0 Karma

Sukisen1981
Champion

Hi that is more of your alert search issue...we need to look at your events and see what search you are executing to generate the alert

0 Karma

massumtaqi
New Member

EventCode=4624
| rex "(?ms)Logon Type:...(?\w+)"
| rex "(?ms)New Logon:\s+Security ID:..(?[AEW]+.\w+.\w+)"
| where (like (Login_Security_ID,"%mtaqi.a%"))
| where Logon_GUID!="{00000000-0000-0000-0000-000000000000}"
| where Logon_Type="3" AND (Logon_Type!="10" OR Logon_Type!="2")
| dedup Logon_Type

This is what is am trying to execute because i want to be alerted when my admin account (.a) is used. When i log in to the server and stay in and do nothing , the event triggers every 5 to 20 minutes on logon type 3 that i dont want, as i want to be alerted only once

For example, if my .a account is used to run a script that would create another .a account without actually logging in or RDP in to the sever, i should be alerted once with logon type 3. Therefore, i put where clause on logon type 3 if there is no preceding logon type 2 or 10.

Please advise!

0 Karma

woodcock
Esteemed Legend

Your question is very unclear but there is a throttling mechanism in the save dialog that has many options, including checking recent field values. If you need more direct control, you can add | outputlookup alert_tracking.csv and save this as a simple report and have another search which is the actual alert start with |inputlookup alert_tracking.csv followed by the throttling logic that you need.

0 Karma

massumtaqi
New Member

Thanks for you response but am looking for what i mentioned in above comment with sukisen. I appreciate your response though!

0 Karma
Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...