Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I achieve this absence of event?

Nawab
Communicator
‎08-02-2023 01:00 AM

I want to create a use case below is the scenario

Let's suppose we have a device that will create a new temp user for every new session and deletes that user when the session is ended.

Now I want to check if a user is created but not deleted in 24 hours. 

how can I achieve this absence of event?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

Nawab
Communicator
‎08-07-2023 01:38 AM

Okay! So here I am looking for one query that will fit all absence of events.
let me give you another example.
let's say there is an update related to any product that is pushed so now the update will be either successful or failed
now some hosts will have a success event and some will have failed event. in this case, both hosts will have the same amount of events i.e 1 either success or failure
I want to check if there is failure but no success for same policy in last 24 hour.

Again here I am looking for a query that will fix all absence of events

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎08-06-2023 06:58 PM

maybe you should provide some sample logs of how new user created, user deleted logs look like. 

this task is achievable. just a good logic/idea is needed. when we can see the sample logs, we can try to work on the SPL query step by step. thanks. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

Nawab
Communicator
‎08-06-2023 02:03 AM

This will generate false positive in different cases, I have given an example case but I need logic for every case where an event is not available, 1st event is available and 2nd is not and the flow of log is from 1st to 2nd so if 2nd event occured before 1st it should not be counted

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-06-2023 02:46 AM

So the temp user is not unique?

In that case, record the last time the user was created and the last time the user was deleted, and if there is no delete or the delete is prior to the create and the create is more than 24 hours ago, you have your create without a delete

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-02-2023 01:11 AM

Count events and track earliest event by user, then where count is 1 and first (create) event is more than 24 hours ago you have found the user which hasn't been deleted.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...