Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Match 2 Windows Events around the same time

willadams
Contributor
‎07-24-2019 01:26 AM

I am trying to write a simple rule that correlates 2 events that would occur at the same time. For example an account that is disabled would have the following 2 events logged, 4625 and 4768. 4768 would have the type (i.e. transaction type 0x12) where 4625 woild have a failure also loogged saying "account is disabled"). I can find both of these as seperate events but how do I correlate them.

For example if I did say sourcetype="winseclogs" Eventcode=4768 I would get the info for that search and that showed Account_Name=test _time=20190101 0600. If I then did say sourcetype="winseclogs" Eventcode=4625 I would get the info for that search and that showed Account_Name=test Failure Reason="Account is disabled" _time=20190101 0600 (or even to account for slightl drift). How would I correlate these into a single search?

I tried this and it looks like it should work but not too sure sourcetype=winseclogs Eventcode=4768 [search sourcetype=winseclogs Eventcode=4625 | fields Account_Name _time]

0 Karma
Reply

dmarling
Builder
‎07-24-2019 07:48 AM

You can create a transaction that will accomplish this with the Account_Name as your field you join on:

sourcetype="winseclogs" (Eventcode=4625 OR Eventcode=4768)
| transaction Account_Name maxspan=5s
| search Eventcode=4625 Eventcode=4768

That will join the events together if they happen within 5 seconds of each other. If they truly always occur at the same exact time then you can drop that down to 1s.

If this comment/answer was helpful, please up vote it. Thank you.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...