Splunk Enterprise Security

Transactioned Orphaned Events

swright_rl
Explorer

Hi Everyone,

I'm building / improving one of the alerts which we use to detect when a event log has been turned off from logging.

index=wineventlog tag=Reboot OR tag=Clear
| transaction endswith=tag=Clear startswith=tag=Reboot maxevents=2 maxspan=30m keeporphans=t
| stats list(duration) as Duration by dest
| mvexpand Duration
| where Duration>300 

The code above works great, although I'm struggling to finish it off.

I'm trying to find if a log has been cleared without a corresponding reboot has taken place. I'm guessing that I need to use keeporphans, but I can't get it to be placed in the stats field for that specific event.

Any help is appreciated.

Thanks

Steve

0 Karma
1 Solution

swright_rl
Explorer

Answered my own question

index=wineventlog tag=Reboot OR tag=Clear 
| transaction endswith=tag=Clear startswith=tag=Reboot maxevents=2 maxspan=40m  keepevicted=true 
| stats list(duration) as Duration by dest 
| mvexpand Duration 
| append  
    [ search index=wineventlog tag=Reboot OR tag=Clear 
    | transaction endswith=tag=Clear startswith=tag=Reboot maxevents=2 maxspan=40m  keepevicted=true
    | search closed_txn=0 
    | eval Lone=if(closed_txn=0 AND EventCode=1100,"1","0") 
    | stats list(Lone) as Lone_Clear by dest 
    | mvexpand Lone_Clear 
    | where Lone_Clear=1] 
| where Duration>1800 OR Lone_Clear=1

View solution in original post

0 Karma

swright_rl
Explorer

Answered my own question

index=wineventlog tag=Reboot OR tag=Clear 
| transaction endswith=tag=Clear startswith=tag=Reboot maxevents=2 maxspan=40m  keepevicted=true 
| stats list(duration) as Duration by dest 
| mvexpand Duration 
| append  
    [ search index=wineventlog tag=Reboot OR tag=Clear 
    | transaction endswith=tag=Clear startswith=tag=Reboot maxevents=2 maxspan=40m  keepevicted=true
    | search closed_txn=0 
    | eval Lone=if(closed_txn=0 AND EventCode=1100,"1","0") 
    | stats list(Lone) as Lone_Clear by dest 
    | mvexpand Lone_Clear 
    | where Lone_Clear=1] 
| where Duration>1800 OR Lone_Clear=1
0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...