Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I achieve this absence of event?

Nawab
Communicator
‎08-02-2023 01:00 AM

I want to create a use case below is the scenario

Let's suppose we have a device that will create a new temp user for every new session and deletes that user when the session is ended.

Now I want to check if a user is created but not deleted in 24 hours. 

how can I achieve this absence of event?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

Nawab
Communicator
‎08-07-2023 01:38 AM

Okay! So here I am looking for one query that will fit all absence of events.
let me give you another example.
let's say there is an update related to any product that is pushed so now the update will be either successful or failed
now some hosts will have a success event and some will have failed event. in this case, both hosts will have the same amount of events i.e 1 either success or failure
I want to check if there is failure but no success for same policy in last 24 hour.

Again here I am looking for a query that will fix all absence of events

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎08-06-2023 06:58 PM

maybe you should provide some sample logs of how new user created, user deleted logs look like. 

this task is achievable. just a good logic/idea is needed. when we can see the sample logs, we can try to work on the SPL query step by step. thanks. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

Nawab
Communicator
‎08-06-2023 02:03 AM

This will generate false positive in different cases, I have given an example case but I need logic for every case where an event is not available, 1st event is available and 2nd is not and the flow of log is from 1st to 2nd so if 2nd event occured before 1st it should not be counted

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-06-2023 02:46 AM

So the temp user is not unique?

In that case, record the last time the user was created and the last time the user was deleted, and if there is no delete or the delete is prior to the create and the create is more than 24 hours ago, you have your create without a delete

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-02-2023 01:11 AM

Count events and track earliest event by user, then where count is 1 and first (create) event is more than 24 hours ago you have found the user which hasn't been deleted.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...