Splunk Enterprise Security

Help with a search to check recent activity and set alert

Engager

Hi, I would like to make sure I got this correct and I cant seem to find the answer anywhere.
I added the whole search for context but I am bit concerned with is:

| eval isOutlier=if(earliest >= relative_time(now(), "-1d@d"), 30, 0)

I want to make sure I am checking the last 30 days of admin activity in the lookup against the 15m I just searched for. If nothing is found no alarm but if a new value is found then I want an alarm. Let me know what you all think and thank you in advance for your input.

SourceName="Microsoft Windows security auditing." user!=SYSTEM user!="LOCAL SERVICE" user!="NETWORK SERVICE" user!="*$" user!="ANONYMOUS LOGON" user!="IUSR"
EventCode=4672 earliest=-15m
| stats earliest(_time) as earliest latest(_time) as latest by user 
| inputlookup append=t previously_seen_superadmins.csv 
| stats min(earliest) as earliest max(latest) as latest by user
| outputlookup previously_seen_superadmins.csv
**| eval isOutlier=if(earliest >= relative_time(now(), "-1d@d"), 30, 0)**
| convert ctime(earliest) ctime(latest)
| where isOutlier=1
0 Karma
1 Solution

Ultra Champion
| eval isOutlier=if(earliest >= relative_time(now(), "-1d@d"), 30, 0)

This query will cause the isOutliner to be 30 or 0.

| where isOutlier=1

However, the result is different because isOutliner with 1 is selected by this query.

| eval isOutlier=if(earliest >= relative_time(now(), "-1d@d"), 1, 0)

How about it?

View solution in original post

Ultra Champion
| eval isOutlier=if(earliest >= relative_time(now(), "-1d@d"), 30, 0)

This query will cause the isOutliner to be 30 or 0.

| where isOutlier=1

However, the result is different because isOutliner with 1 is selected by this query.

| eval isOutlier=if(earliest >= relative_time(now(), "-1d@d"), 1, 0)

How about it?

View solution in original post

Engager

okay that makes sense. I had a fundamental misunderstanding about what those numbers meant. I want the isOutlier to = 1 because I want the first occurrence to be the condition that triggers the alarm. And the time period in that its checking against in the CSV to be 30 days so if i understand it should go like this. "| eval isOutlier=if(earliest >= relative_time(now(), "-30d@d"), 1, 0)"

0 Karma