We have a saved search that checks for the occurrence of at least two separate events for each user. For example, say I want to check if a user logs in and logs out within the same hour, a simplified search would be something like this:
index=windows event_id IN ("4624","4625") | stats dc(event_id) as dc_count by User | search dc_count>=2
I would save this as an Alert, schedule it to run every hour at the start of the hour, with a time range of the last hour. This works without any problems, however, my concern is as follows. Say a user logs in at the 59 minute mark, then logs out at the 15 minute mark. The alert will not detect it since it will fall under two separate searches times.
One solution I can think of is to change the stats command to a streamstats, then change the time range to the last two hours, keeping the schedule to run every hour:
| streamstats dc(event_id) as dc_count by User time_window=1h
Lastly, apply a throttle by user to avoid duplicate alerts.
However, I feel this solution is kind of ugly and cumbersome, and I was wondering if I am missing an obvious way to solve this.
index=windows event_id IN ("4624","4625") earliest=-2h@h | streamstats count(eval(event_id==4625)) AS sessionID BY User | stats first(_time) AS _time range(_time) AS duration values(event_id) AS event_id dc(event_id) as eventId_count BY sessionID User | where event_id==4624 AND policy_count==1 | where duration > your_desire_duration_seconds
HI, If you search in the past 2 hours every hour, you will be alerted.
thanks @woodcock , I used your query.