Splunk Enterprise Security

Help with a search to check recent activity and set alert

tassetjn
Engager

Hi, I would like to make sure I got this correct and I cant seem to find the answer anywhere.
I added the whole search for context but I am bit concerned with is:

| eval isOutlier=if(earliest >= relative_time(now(), "-1d@d"), 30, 0)

I want to make sure I am checking the last 30 days of admin activity in the lookup against the 15m I just searched for. If nothing is found no alarm but if a new value is found then I want an alarm. Let me know what you all think and thank you in advance for your input.

SourceName="Microsoft Windows security auditing." user!=SYSTEM user!="LOCAL SERVICE" user!="NETWORK SERVICE" user!="*$" user!="ANONYMOUS LOGON" user!="IUSR"
EventCode=4672 earliest=-15m
| stats earliest(_time) as earliest latest(_time) as latest by user 
| inputlookup append=t previously_seen_superadmins.csv 
| stats min(earliest) as earliest max(latest) as latest by user
| outputlookup previously_seen_superadmins.csv
**| eval isOutlier=if(earliest >= relative_time(now(), "-1d@d"), 30, 0)**
| convert ctime(earliest) ctime(latest)
| where isOutlier=1
0 Karma
1 Solution

to4kawa
Ultra Champion
| eval isOutlier=if(earliest >= relative_time(now(), "-1d@d"), 30, 0)

This query will cause the isOutliner to be 30 or 0.

| where isOutlier=1

However, the result is different because isOutliner with 1 is selected by this query.

| eval isOutlier=if(earliest >= relative_time(now(), "-1d@d"), 1, 0)

How about it?

View solution in original post

to4kawa
Ultra Champion
| eval isOutlier=if(earliest >= relative_time(now(), "-1d@d"), 30, 0)

This query will cause the isOutliner to be 30 or 0.

| where isOutlier=1

However, the result is different because isOutliner with 1 is selected by this query.

| eval isOutlier=if(earliest >= relative_time(now(), "-1d@d"), 1, 0)

How about it?

tassetjn
Engager

okay that makes sense. I had a fundamental misunderstanding about what those numbers meant. I want the isOutlier to = 1 because I want the first occurrence to be the condition that triggers the alarm. And the time period in that its checking against in the CSV to be 30 days so if i understand it should go like this. "| eval isOutlier=if(earliest >= relative_time(now(), "-30d@d"), 1, 0)"

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...