Hello,
I'm fairly new to Splunk and I've been playing around with some of the security correlation rules and needed some guidance on one.
Below is a search that shows me the user, signature, source of the lockout, and how many times that particular user got locked out from that host.
index=windows* source=WinEventLog:Security EventCode=4740 | stats count by user, signature, src_nt_host
If I do a where count >X on this, it will alert me if one user got locked out multiple times, but I want to know if Y unique users get locked out within a time period. The search below does that, but it doesn't have any useful information with it.
index=windows* source=WinEventLog:Security EventCode=4740 | stats count by signature
Is there a way to show the information from the top query but do a count on how many total log events trip? I'm going to turn this into a correlation rule and we want the appropriate alert but when I click on the query, I'd like it to show the relevant information without hopping to another search.
Thanks for your help.
A simple search to show how many users got locked out could be:
index=windows* source=WinEventLog:Security EventCode=4740 | stats dc(user) as distinct_users values(user) as users
Since you want to keep the information from your top query, I suggest the following search:
index=windows* source=WinEventLog:Security EventCode=4740 | stats count by user,signature,src_nt_host | eventstats dc(user) as distinct_users
A simple search to show how many users got locked out could be:
index=windows* source=WinEventLog:Security EventCode=4740 | stats dc(user) as distinct_users values(user) as users
Since you want to keep the information from your top query, I suggest the following search:
index=windows* source=WinEventLog:Security EventCode=4740 | stats count by user,signature,src_nt_host | eventstats dc(user) as distinct_users
Thank you very much. Overall that did what I wanted it to do. I think the only tweak I'm going to have to perform is that I have a few entries where the user has multiple src_nt_hosts. So the distinct_users count is maybe 100 where the overall events are 150 since admin may have hits from server1, server2, and server3.
If you have multivalue fields like src_nt_hosts then you could either use
| mvexpand src_nt_hosts
or
| eval src_nt_hosts=mvindex(src_nt_hosts,1)