Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Match 2 Windows Events around the same time

willadams
Contributor
‎07-24-2019 01:26 AM

I am trying to write a simple rule that correlates 2 events that would occur at the same time. For example an account that is disabled would have the following 2 events logged, 4625 and 4768. 4768 would have the type (i.e. transaction type 0x12) where 4625 woild have a failure also loogged saying "account is disabled"). I can find both of these as seperate events but how do I correlate them.

For example if I did say sourcetype="winseclogs" Eventcode=4768 I would get the info for that search and that showed Account_Name=test _time=20190101 0600. If I then did say sourcetype="winseclogs" Eventcode=4625 I would get the info for that search and that showed Account_Name=test Failure Reason="Account is disabled" _time=20190101 0600 (or even to account for slightl drift). How would I correlate these into a single search?

I tried this and it looks like it should work but not too sure sourcetype=winseclogs Eventcode=4768 [search sourcetype=winseclogs Eventcode=4625 | fields Account_Name _time]

0 Karma
Reply

dmarling
Builder
‎07-24-2019 07:48 AM

You can create a transaction that will accomplish this with the Account_Name as your field you join on:

sourcetype="winseclogs" (Eventcode=4625 OR Eventcode=4768)
| transaction Account_Name maxspan=5s
| search Eventcode=4625 Eventcode=4768

That will join the events together if they happen within 5 seconds of each other. If they truly always occur at the same exact time then you can drop that down to 1s.

If this comment/answer was helpful, please up vote it. Thank you.
0 Karma
Reply
Get Updates on the Splunk Community!

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

What's New in Splunk Observability - October 2025

What’s New?    We’re excited to announce the latest enhancements to Splunk Observability Cloud and share ...