Hi team!
I need to do that:
Eventcode = 4624 and 4634 with Logon Type = 10. An event will be generated if an access volume above normal is detected. Deviation of 20% vs weekly average.
This is my search right now;
index=* index=* (EventCode=4624 OR EventCode=4634) eventtype=wineventlog_security
| stats values(host), values(EventCodeDescription), values(Changes), values(Account_Domain), values(action) by _time
| rename values(host) as Host, values(EventCodeDescription) as Description, values(Changes) as Changes, values(Account_Domain) as "Account Domain", values(action) as Action, _time as Date
| convert timeformat="%m/%d/%Y %H:%M:%S" ctime(Date)
But I dont know how to detected a Deviation of 20% vs weekly average. I mean, how can I do that?
Thank you a lot.
Check out this great Q&A (don't forget to UpVote
) and links:
https://answers.splunk.com/answers/511894/how-to-use-the-timewrap-command-and-set-an-alert-f.html
Hi @christianubeda,
You seem to be looking for something like this :
index="_audit" | timechart span=1h count as A | eventstats avg(A) as WeeklyAverage | tail 1 | eval Result=(A/WeeklyAverage)*100
From there tweak the span to compare per hour/day/week and use the result for your threshold condition.
Cheers,
David