Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

In Splunk Enterprise Security, how do I make a query that shows user account creation and deletion over time?

IWilsonR
Engager
‎12-13-2018 09:02 PM

I need a query that shows Unix user Account Creation And Deletion within 24 hours time.

Right now, i have this below query which throws a result when a user is created or deleted.

index=Linux_os eventtype="linux_sec" (eventtype=useradd OR eventtype=userdel) user=* dest=* name=* | eval time=strftime(_time,"%Y-%m-%d %H:%M:%S")|stats list(dest) as Destination list(name) as Action list(time) as Time  by user

I need a query that shows Account Creation And Deletion within 24 hours time. Please help

0 Karma
Reply

whrg
Motivator
‎12-14-2018 05:16 AM

Hello @IWilsonR,

I found a question on SplunkAnswers which is very similar to yours: Account Creation And Deletion within a given time.

Try this search using the transaction command:

index=Linux_os eventtype="linux_sec"
| transaction user startswith=eventtype=useradd endswith=eventtype=userdel maxevents=2
| where duration<24*3600

This should work too:

index=Linux_os eventtype="linux_sec"
| transaction user startswith=eventtype=useradd endswith=eventtype=userdel maxevents=2 maxspan=24h
0 Karma
Reply
Get Updates on the Splunk Community!

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...

New This Month - SLO Capabilities, APM Advanced Filtering & Usage Analytics Plus ...

More for SLO Management We’re continuing to expand the built-in SLO management experience in Splunk ...