#Random
This is a place to discuss all things outside of Splunk, its products, and its use cases.

How to put query to trigger alert if user account has logged in during off business hours?

berzerk
Engager

How to put query to trigger alert if user account has logged in during off business hours?

0 Karma

gcusello
Legend

Hi @berzerk,

when you say off business hours are you speaking of hours outside 8.00 - 17.00 (or a different hours) in Monday-Friday but always the same in every day, in other words without considering holydays or are you speaking also about holydays?

in the first case it isn't so complicate: you have to create a search on the login conditions (e.g. in Windows EvenCode=4624) adding the off business hours: something like this:

index=wineventlog EventCode=4624 ((date_wday IN ("saturday","sunday")) OR (date_hour>17 OR date_hour<8))

If instead you have to manage also holydays, you have to create a lookup (to manage) containing all the holydays of the year (called e.g. "holydays.csv") containing at least one column:

date
2022-01-01
2022-04-18
2022-12-25
2022-12-26

then you have to add this check to the previous search:

index=wineventlog EventCode=4624 
| eval date=strftime(_time,"%Y-%m-%d")
| search [ | inputlookup holydays.csv | search type=1 | fields date ]) OR date_wday IN ("saturday","sunday") OR (date_hour>17 OR date_hour<8)

In both the situations, the main problem is to identify the login conditions (e.g. for Windows EventCode=4624).

To do this I hint to create an eventtype for each kind of log (e.g. one for Windows, one for linux, etc...) adding to all of them a tag (e.g. "LOGIN"), then you can use it in your search.

Ciao.

Giuseppe

gcusello
Legend

Hi @berzerk,

if this answer solves your need, please accept it for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉

0 Karma

berzerk
Engager

For others, what I did was I created a lookup table with hour and value. So from the payload hour field was already extracted and being compared to the lookup table with hours define for off business in column Tag.

The query to put using lookup after extracting the message 

| lookup offbusinesshours.csv Time as Tag_hour output Value as Value

| where isnull(Value)

0 Karma

berzerk
Engager

Hi Ranjith,

To define off business hours what query can we put in search? Also, I have the search for the logged events just request you to help me with the command how to define the off business hours

Thanks

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

It would be really helpful if you could provide more details like sample events etc to formulate a search.

In general 

  • Define the off business hours
  • Search for logged in events
  • Create alerts for the events which falls in the time frame defined

For e.g. if you are off business hours are between 6PM to 8AM, then select the time range between these time limit and search for the logged in events

Happy Splunking!
0 Karma