Using the _time field for throttling within the co...

AL3Z · ‎02-05-2024

Hi all,

In my AD computer account deletion correlation search, I use _time and subjectusername in throttling fields for grouping. Is adding _time to throttling the correct approach? Please correct me if I'm wrong.
query
index=win sourcetype=XmlWinEventLog EventCode=4743
| bin _time span=5m
| stats values(EventCode) as EventCode, values(signature) as EventDescription, values(TargetUserName) as deleted_computer, dc(TargetUserName) as computeruser_count by _time SubjectUserName
| where computeruser_count > 20
Time Range set to
Earliest Time 20m@m
latest now
cron schedule */15 * * * *

Scheduling set to Continuous

Throttling
window duration 12 hours

Fields to group by SubjectUserName , _time

Thanks in Advance..

richgalloway · ‎02-05-2024

Throttling works by checking to see if the specified field changed value within the throttle period. Since _time is always changing it is ineffective as a throttle.

---
If this reply helps you, Karma would be appreciated.

AL3Z · ‎02-05-2024

@richgalloway ,

I need to change the query or its fine to drop the _time from the Throttling group by field name?

richgalloway · ‎02-05-2024

I would drop _time as a throttling field.

---
If this reply helps you, Karma would be appreciated.

Using the _time field for throttling within the correlation search.

correlation search

investigation

Modern way of developing distributed application using OTel

Enterprise Security Content Update (ESCU) | New Releases

Archived Metrics Now Available for APAC and EMEA realms