How to make sure a saved search covers proper time range



We have a saved search that checks for the occurrence of at least two separate events for each user. For example, say I want to check if a user logs in and logs out within the same hour, a simplified search would be something like this:

index=windows event_id IN ("4624","4625")
| stats dc(event_id) as dc_count by User
| search dc_count>=2

I would save this as an Alert, schedule it to run every hour at the start of the hour, with a time range of the last hour. This works without any problems, however, my concern is as follows. Say a user logs in at the 59 minute mark, then logs out at the 15 minute mark. The alert will not detect it since it will fall under two separate searches times.

One solution I can think of is to change the stats command to a streamstats, then change the time range to the last two hours, keeping the schedule to run every hour:

| streamstats dc(event_id) as dc_count by User time_window=1h

Lastly, apply a throttle by user to avoid duplicate alerts.

However, I feel this solution is kind of ugly and cumbersome, and I was wondering if I am missing an obvious way to solve this.

Thank you

0 Karma

Ultra Champion
 index=windows event_id IN ("4624","4625") earliest=-2h@h
 | streamstats count(eval(event_id==4625)) AS sessionID BY User
 | stats first(_time) AS _time range(_time) AS duration values(event_id) AS event_id dc(event_id) as eventId_count BY sessionID User
 | where event_id==4624 AND policy_count==1
 | where duration > your_desire_duration_seconds

HI, If you search in the past 2 hours every hour, you will be alerted.

thanks @woodcock , I used your query.  

Esteemed Legend

You did UpVote, right?

0 Karma

Ultra Champion

Roger that.

Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...