Splunk Enterprise Security

In Splunk Enterprise Security, how do I make a query that shows user account creation and deletion over time?

IWilsonR
Engager

I need a query that shows Unix user Account Creation And Deletion within 24 hours time.

Right now, i have this below query which throws a result when a user is created or deleted.

index=Linux_os eventtype="linux_sec" (eventtype=useradd OR eventtype=userdel) user=* dest=* name=* | eval time=strftime(_time,"%Y-%m-%d %H:%M:%S")|stats list(dest) as Destination list(name) as Action list(time) as Time  by user

I need a query that shows Account Creation And Deletion within 24 hours time. Please help

0 Karma

whrg
Motivator

Hello @IWilsonR,

I found a question on SplunkAnswers which is very similar to yours: Account Creation And Deletion within a given time.

Try this search using the transaction command:

index=Linux_os eventtype="linux_sec"
| transaction user startswith=eventtype=useradd endswith=eventtype=userdel maxevents=2
| where duration<24*3600

This should work too:

index=Linux_os eventtype="linux_sec"
| transaction user startswith=eventtype=useradd endswith=eventtype=userdel maxevents=2 maxspan=24h
0 Karma
Get Updates on the Splunk Community!

Unlock New Opportunities with Splunk Education: Explore Our Latest Courses!

At Splunk Education, we’re dedicated to providing top-tier learning experiences that cater to every skill ...

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...