I have set up an alert for when logging has stopped on a Windows endpoint using event code 1100, but want to avoid results where logging has restarted soon after being stopped.
Current query:
sourcetype=WinEventLog
| where ('EventCode'="1100" OR 'EventCode'="6005")
However events where a restart has occurred are still alerting.
What I am trying to do is alert on events when logging has stopped (EventCode=1100) and NOT restarted (EventCode=6005) for the same endpoint.
sourcetype=wineventlog EventCode IN (1100,6005)
| bin _time span=5m
| stats values(EventCode) as EventCode dc(EventCode) as dc_EventCode by _time, dest
| search EventCode=1100 dc_EventCode=1
My example above should be a pretty efficient means of doing this. I'll explain line by line
First, I would recommend moving the EventCode criteria into your search. Adding criteria to the initial search is more efficient than running a broad search and piping it to a where statement.
The bin command changes the time field into windows of whatever increment you specify in span. So this creates a 5 minute time bucket. The span you can set to whatever time interval you think is acceptable between the stop logging and start logging events
The stats command will show all the EventCodes from the returned events for a given dest (for windows logs this should be the field indicating which device the event occurred on) in a 5 minute window.
Then we only show the events that have 1 EventCode that is an 1100. This eliminates any devices where they had a stop event AND a start event in a 5 minute window while still alerting on the ones that only had a stop event! Hopefully that helps
Thank you, your answers are vere interesting!
I have a question in addition: how to modify Splunk rule "Audit - Anomalous Audit Trail Activity Detected - Rule" so that it takes the shutdown event into consideration? This rule uses Audit model and stats and no other EventIds are listed.
| from datamodel:"Change"."Auditing_Changes" | where ('action'="cleared" OR 'action'="stopped") | stats max(_time) as "lastTime",latest(_raw) as "orig_raw",count by "dest","result" | rename "result" as "signature"
Hello @nmcdowell,
you can try to use transaction command ( https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/Transaction ). Adjust common fields and maxspan as needed.
sourcetype=WinEventLog EventCode="1100" OR EventCode="6005" | transaction src maxspan=30s keepevicted=t startswith(EventCode="1100") endswith(EventCode="6005") | search closed_txn=0