Getting Data In

Searching events after log

JacobWrdz
Explorer

Hello,

I would like to create the alert that:

someone login to system (event login = successful login) and I just want to check if in 5 min from this event, was any user or group was created by user (which is not member of admin group).

or another version:

If X notification was triggered +  notification about new user or new group was triggered (created not by admin)- but 1h before and 1h after notification X (timestamp), then: generate alert

Could you please provide some tips for this case?

 

Best regards,

Jacob

Labels (3)
0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...