Splunk Enterprise Security

Issues with Detect New Local Admin Account notables

Matth3w
New Member

Hello all,

Our Splunk enterprise security uses the following correlation search for the  "Detect New Local Admin Account" notables:

`wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) | transaction member_id connected=false maxspan=180m | rename member_id as user | stats count min(_time) as firstTime max(_time) as lastTime by user dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_new_local_admin_account_filter`

This matches the correlation search at https://docs.splunksecurityessentials.com/content-detail/detect_new_local_admin_account/

The way its written makes it so the search returns any transaction with event code equal to 4720 or event code equal to 4732 with the phrase Administrators. It doesn't make a subquery on the transaction to make sure that the transaction contains both a 4720 and 4732 with phrase Administrators. So we're getting one of these notables for every account created.

The page https://docs.splunksecurityessentials.com/content-detail/showcase_new_local_admin_account/ has this correlation search:
index=* source="*WinEventLog:Security" EventCode=4720 OR (EventCode=4732 Administrators) | transaction Security_ID maxspan=180m connected=false | search EventCode=4720 (EventCode=4732 Administrators) | table _time EventCode Account_Name Target_Account_Name Message

If I swap out index=* source="*WinEventLog:Security" for `wineventlog_security`, that correlation search only returns true positives. The key difference between those searches is the subquery that searches the transactions for logs that have both 4720 and 4732 with the phrase Adminstrators. 

Does anyone know why Splunk enterprise security and Splunk security essentials have that first correlation search listed? It seems to not do what its supposed to do. Am I missing something?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...