Getting Data In
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Searching events after log

JacobWrdz
Explorer
‎10-21-2020 06:13 AM

Hello,

I would like to create the alert that:

someone login to system (event login = successful login) and I just want to check if in 5 min from this event, was any user or group was created by user (which is not member of admin group).

or another version:

If X notification was triggered +  notification about new user or new group was triggered (created not by admin)- but 1h before and 1h after notification X (timestamp), then: generate alert

Could you please provide some tips for this case?

 

Best regards,

Jacob

Labels (3)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...

New Splunk Innovations Enhance Performance and Accelerate Troubleshooting

Splunk is excited to announce new releases that empower ITOps and engineering teams to stay ahead in ever ...
li.common.scroll-to.top