#Random
This is a place to discuss all things outside of Splunk, its products, and its use cases.

How to put query to trigger alert if user account has logged in during off business hours?

berzerk
Engager

How to put query to trigger alert if user account has logged in during off business hours?

0 Karma

berzerk
Engager

Here is second part to the same question

How to use lookup if there are multiple locations with different business hours ?
@gcusello @renjith_nair @emile194 

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @berzerk,

it depends on the timezone configuration you adopted:

you could use the local time (eventually converting from _time knowing the user location) and so the business hours are the same.

If instead you converted all the timestamps in your user time, you have to create a new field from _time to use for the check, but the approach is the same.

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @berzerk,

when you say off business hours are you speaking of hours outside 8.00 - 17.00 (or a different hours) in Monday-Friday but always the same in every day, in other words without considering holydays or are you speaking also about holydays?

in the first case it isn't so complicate: you have to create a search on the login conditions (e.g. in Windows EvenCode=4624) adding the off business hours: something like this:

index=wineventlog EventCode=4624 ((date_wday IN ("saturday","sunday")) OR (date_hour>17 OR date_hour<8))

If instead you have to manage also holydays, you have to create a lookup (to manage) containing all the holydays of the year (called e.g. "holydays.csv") containing at least one column:

date
2022-01-01
2022-04-18
2022-12-25
2022-12-26

then you have to add this check to the previous search:

index=wineventlog EventCode=4624 
| eval date=strftime(_time,"%Y-%m-%d")
| search [ | inputlookup holydays.csv | search type=1 | fields date ]) OR date_wday IN ("saturday","sunday") OR (date_hour>17 OR date_hour<8)

In both the situations, the main problem is to identify the login conditions (e.g. for Windows EventCode=4624).

To do this I hint to create an eventtype for each kind of log (e.g. one for Windows, one for linux, etc...) adding to all of them a tag (e.g. "LOGIN"), then you can use it in your search.

Ciao.

Giuseppe

gcusello
SplunkTrust
SplunkTrust

Hi @berzerk,

if this answer solves your need, please accept it for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉

0 Karma

berzerk
Engager

For others, what I did was I created a lookup table with hour and value. So from the payload hour field was already extracted and being compared to the lookup table with hours define for off business in column Tag.

The query to put using lookup after extracting the message 

| lookup offbusinesshours.csv Time as Tag_hour output Value as Value

| where isnull(Value)

0 Karma

berzerk
Engager

Hi Ranjith,

To define off business hours what query can we put in search? Also, I have the search for the logged events just request you to help me with the command how to define the off business hours

Thanks

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

It would be really helpful if you could provide more details like sample events etc to formulate a search.

In general 

  • Define the off business hours
  • Search for logged in events
  • Create alerts for the events which falls in the time frame defined

For e.g. if you are off business hours are between 6PM to 8AM, then select the time range between these time limit and search for the logged in events

Happy Splunking!
0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...