Monitoring Splunk

Include only certain codes.

bogdan_nicolesc
Communicator

Hi all,

I have a search like this:

(index=* OR index=_) (source="WMI:WinEventLog:Security" OR source="WinEventLog:Security") Type= NOT (EventCode=4719 OR EventCode=4624 OR EventCode=4672 OR EventCode=4627 OR EventCode=4634 OR EventCode=4648 OR EventCode=4688 OR EventCode=4616 OR EventCode=4826 OR EventCode=4957 OR EventCode=4776 OR EventCode=1100 OR EventCode=4902 OR EventCode=4647 OR EventCode=1101 OR EventCode=4696 OR EventCode=4905 OR EventCode=4904) | eval EventCode=if(EventCode="4801","Deblocat4801",EventCode) | eval EventCode=if(EventCode="4800","Blocat4800",EventCode) | eval EventCode=if(EventCode="4625","ParolaGresita4625",EventCode) | eval Security_ID=if(Security_ID="HUB\Bogdan.NICOLESCU","Bogdan.Nicolescu",Security_ID) | eval Security_ID=if(Security_ID="S-1-5-21-2194086089-2732682161-3381787425-7759","Bogdan.Nicolescu.7759",Security_ID) | eval Security_ID=if(Security_ID="HUB\bogdan.nicolescu","Bogdan.Nicolescu.2",Security_ID) | rename EventCode AS RootObject.EventCode Security_ID AS RootObject.Security_ID | fields "_time" "host" "source" "sourcetype" "RootObject.EventCode" "RootObject.Security_ID" | bucket _time span=1s | stats dedup_splitvals=t dc(RootObject.EventCode) AS "Distinct Count of EventCode" by _time, RootObject.EventCode, RootObject.Security_ID | sort limit=100000 _time | rename RootObject.EventCode AS EventCode RootObject.Security_ID AS Security_ID | fillnull "Distinct Count of EventCode" | fields _time, EventCode, Security_ID, "Distinct Count of EventCode"

My question is, how can i include in search only:

Security_ID="Bogdan.Nicolescu" Security_ID="Bogdan.Nicolescu.2" Security_ID="Bogdan.Nicolescu.7759"

So i can get rid of exludes of:

NOT (EventCode=4719 OR EventCode=4624 OR EventCode=4672 OR EventCode=4627 OR EventCode=4634 OR EventCode=4648 OR EventCode=4688 OR EventCode=4616 OR EventCode=4826 OR EventCode=4957 OR EventCode=4776 OR EventCode=1100 OR EventCode=4902 OR EventCode=4647 OR EventCode=1101 OR EventCode=4696 OR EventCode=4905 OR EventCode=4904)

Thank you.

Tags (1)
0 Karma
1 Solution

Vijeta
Influencer

You can write your main search as

(index= OR index=_) (source="WMI:WinEventLog:Security" OR source="WinEventLog:Security") Type=* (Security_ID="HUB\bogdan.nicolescu" OR Security_ID="HUB\bogdan.nicolescu" OR Security_ID="S-1-5-21-2194086089-2732682161-3381787425-7759")| eval Security_ID=if(Security_ID="S-1-5-21-2194086089-2732682161-3381787425-7759","Bogdan.Nicolescu.7759",Security_ID) | eval Security_ID=if(Security_ID="HUB\bogdan.nicolescu","Bogdan.Nicolescu.2",Security_ID) | rename EventCode AS RootObject.EventCode Security_ID AS RootObject.Security_ID | fields "_time" "host" "source" "sourcetype" "RootObject.EventCode" "RootObject.Security_ID" | bucket _time span=1s | stats dedup_splitvals=t dc(RootObject.EventCode) AS "Distinct Count of EventCode" by _time, RootObject.EventCode, RootObject.Security_ID | sort limit=100000 _time | rename RootObject.EventCode AS EventCode RootObject.Security_ID AS Security_ID | fillnull "Distinct Count of EventCode" | fields _time, EventCode, Security_ID, "Distinct Count of EventCode"

View solution in original post

0 Karma

Vijeta
Influencer

You can write your main search as

(index= OR index=_) (source="WMI:WinEventLog:Security" OR source="WinEventLog:Security") Type=* (Security_ID="HUB\bogdan.nicolescu" OR Security_ID="HUB\bogdan.nicolescu" OR Security_ID="S-1-5-21-2194086089-2732682161-3381787425-7759")| eval Security_ID=if(Security_ID="S-1-5-21-2194086089-2732682161-3381787425-7759","Bogdan.Nicolescu.7759",Security_ID) | eval Security_ID=if(Security_ID="HUB\bogdan.nicolescu","Bogdan.Nicolescu.2",Security_ID) | rename EventCode AS RootObject.EventCode Security_ID AS RootObject.Security_ID | fields "_time" "host" "source" "sourcetype" "RootObject.EventCode" "RootObject.Security_ID" | bucket _time span=1s | stats dedup_splitvals=t dc(RootObject.EventCode) AS "Distinct Count of EventCode" by _time, RootObject.EventCode, RootObject.Security_ID | sort limit=100000 _time | rename RootObject.EventCode AS EventCode RootObject.Security_ID AS Security_ID | fillnull "Distinct Count of EventCode" | fields _time, EventCode, Security_ID, "Distinct Count of EventCode"
0 Karma

bogdan_nicolesc
Communicator

Hi Vijeta,

Yes! Thank you very much. Worked like a charm.

Bogdan.

0 Karma
Get Updates on the Splunk Community!

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

  Now On Demand  Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research ...

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...