Re: How to put query to trigger alert if user acco...

berzerk · ‎04-20-2022

How to put query to trigger alert if user account has logged in during off business hours?

berzerk · ‎10-24-2022

Here is second part to the same question

How to use lookup if there are multiple locations with different business hours ?
@gcusello @renjith_nair @emile194

gcusello · ‎10-24-2022

Hi @berzerk,

it depends on the timezone configuration you adopted:

you could use the local time (eventually converting from _time knowing the user location) and so the business hours are the same.

If instead you converted all the timestamps in your user time, you have to create a new field from _time to use for the check, but the approach is the same.

Ciao.

Giuseppe

gcusello · ‎04-26-2022

Hi @berzerk,

when you say off business hours are you speaking of hours outside 8.00 - 17.00 (or a different hours) in Monday-Friday but always the same in every day, in other words without considering holydays or are you speaking also about holydays?

in the first case it isn't so complicate: you have to create a search on the login conditions (e.g. in Windows EvenCode=4624) adding the off business hours: something like this:

index=wineventlog EventCode=4624 ((date_wday IN ("saturday","sunday")) OR (date_hour>17 OR date_hour<8))

If instead you have to manage also holydays, you have to create a lookup (to manage) containing all the holydays of the year (called e.g. "holydays.csv") containing at least one column:

date
2022-01-01
2022-04-18
2022-12-25
2022-12-26

then you have to add this check to the previous search:

index=wineventlog EventCode=4624 
| eval date=strftime(_time,"%Y-%m-%d")
| search [ | inputlookup holydays.csv | search type=1 | fields date ]) OR date_wday IN ("saturday","sunday") OR (date_hour>17 OR date_hour<8)

In both the situations, the main problem is to identify the login conditions (e.g. for Windows EventCode=4624).

To do this I hint to create an eventtype for each kind of log (e.g. one for Windows, one for linux, etc...) adding to all of them a tag (e.g. "LOGIN"), then you can use it in your search.

Ciao.

Giuseppe

gcusello · ‎05-31-2022

Hi @berzerk,

if this answer solves your need, please accept it for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉

berzerk · ‎04-26-2022

For others, what I did was I created a lookup table with hour and value. So from the payload hour field was already extracted and being compared to the lookup table with hours define for off business in column Tag.

The query to put using lookup after extracting the message

| lookup offbusinesshours.csv Time as Tag_hour output Value as Value

| where isnull(Value)

berzerk · ‎04-20-2022

Hi Ranjith,

To define off business hours what query can we put in search? Also, I have the search for the logged events just request you to help me with the command how to define the off business hours

Thanks

renjith_nair · ‎04-20-2022

It would be really helpful if you could provide more details like sample events etc to formulate a search.

In general

Define the off business hours
Search for logged in events
Create alerts for the events which falls in the time frame defined

For e.g. if you are off business hours are between 6PM to 8AM, then select the time range between these time limit and search for the logged in events

Happy Splunking!

How to put query to trigger alert if user account has logged in during off business hours?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life