Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

In Splunk Enterprise Security, how do I make a query that shows user account creation and deletion over time?

IWilsonR
Engager
‎12-13-2018 09:02 PM

I need a query that shows Unix user Account Creation And Deletion within 24 hours time.

Right now, i have this below query which throws a result when a user is created or deleted.

index=Linux_os eventtype="linux_sec" (eventtype=useradd OR eventtype=userdel) user=* dest=* name=* | eval time=strftime(_time,"%Y-%m-%d %H:%M:%S")|stats list(dest) as Destination list(name) as Action list(time) as Time  by user

I need a query that shows Account Creation And Deletion within 24 hours time. Please help

0 Karma
Reply

whrg
Motivator
‎12-14-2018 05:16 AM

Hello @IWilsonR,

I found a question on SplunkAnswers which is very similar to yours: Account Creation And Deletion within a given time.

Try this search using the transaction command:

index=Linux_os eventtype="linux_sec"
| transaction user startswith=eventtype=useradd endswith=eventtype=userdel maxevents=2
| where duration<24*3600

This should work too:

index=Linux_os eventtype="linux_sec"
| transaction user startswith=eventtype=useradd endswith=eventtype=userdel maxevents=2 maxspan=24h
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...