Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Account Creation And Deletion within a given time

hagjos43
Contributor
‎07-08-2014 10:32 AM

Hello, I'm trying to create a query to monitor when users create accounts and then within a given time window delete the account.

I've got this so far:

sourcetype=WinEventLog:Security (EventCode=630 OR EventCode=4726 OR EventCode=624 OR EventCode=4720) | eval status=case(EventCode=630, "Account Creation", EventCode=4726, "Account Creation", EventCode=624, "Account Deletion", EventCode=4720, "Account Deletion") |

The Pseudo code for what I'm looking for would be:

. . . | where Account Creation AND Account Deletion occur within x hours

Thanks!

Tags (4)
0 Karma
Reply

renjujacob88
Path Finder
‎07-19-2017 03:37 AM

Here with the modified one

index=wineventlog (EventCode=630 OR EventCode=4726 OR EventCode=624 OR EventCode=4720) |rex field=_raw "(?ms)^(?P\d+\S+\s\S*\s\w+)" | eval status=case(EventCode=630, "Account Deletion", EventCode=4726, "Account Deletion", EventCode=624, "Account Creation", EventCode=4720, "Account Creation") |transaction user startswith=status="Account Creation" endswith=status="Account Deletion" maxevents=2 | where duration < 86400 | eval Account_Created_Time=mvindex(time,0)|eval
Account_Deleted_Time=mvindex(time,1) |eval Created_Account_EventCode =mvindex(EventCode,0)|eval Deleted_Account_EventCode =mvindex(EventCode,1)|eval Account_Created_By =mvindex(src_user,0)|eval Account_Deleted_By=mvindex(src_user,1) | table Account_Created_Time Account_Created_By Created_Account_EventCode user
Account_Deleted_Time Deleted_Account_EventCode Account_Deleted_By | eval Account_Deleted_By=if(isnull(Account_Deleted_By),Account_Created_By,Account_Deleted_By) | Rename user as Account_Created_And_Deleted |

Reply

renjujacob88
Path Finder
‎07-19-2017 12:46 AM

Modified query

index=wineventlog (EventCode=630 OR EventCode=4726 OR EventCode=624 OR EventCode=4720) |rex field=_raw "(?ms)^(?P\d+\S+\s\S*\s\w+)" | eval status=case(EventCode=630, "Account Deletion", EventCode=4726, "Account Deletion", EventCode=624, "Account Creation", EventCode=4720, "Account Creation") |transaction user startswith=status="Account Creation" endswith=status="Account Deletion" maxevents=2 | where duration < 86400 | eval Account_Created_Time=mvindex(time,0)|eval Account_Deleted_Time=mvindex(time,1) |eval Created_Account_EventCode =mvindex(EventCode,0)|eval Deleted_Account_EventCode =mvindex(EventCode,1)|eval Account_Created_By =mvindex(src_user,0)|eval Account_Deleted_By=mvindex(src_user,1) | table Account_Created_Time Account_Created_By Created_Account_EventCode user Account_Deleted_Time Deleted_Account_EventCode Account_Deleted_By | eval Account_Deleted_By=if(isnull(Account_Deleted_By),Account_Created_By,Account_Deleted_By) | Rename user as Account_Created_And_Deleted |

0 Karma
Reply

aaronandshag
Explorer
‎01-12-2017 01:42 PM

Hello, I've got one right here for ya!

sourcetype=WinEventLog:Security (EventCode=630 OR EventCode=4726 OR EventCode=624 OR EventCode=4720) | eval status=case(EventCode=630, "Account Deletion", EventCode=4726, "Account Deletion", EventCode=624, "Account Creation", EventCode=4720, "Account Creation") |transaction user startswith=status="Account Creation" endswith=status="Account Deletion" maxevents=2  | where duration < 3600

I've tested it and get correct results.

0 Karma
Reply

aaronandshag
Explorer
‎01-12-2017 01:47 PM

Hello,

So the event codes were improperly associated with the event descriptions, fixed that. 

sourcetype=WinEventLog:Security (EventCode=630 OR EventCode=4726 OR EventCode=624 OR EventCode=4720) | eval status=case(EventCode=630, "Account Deletion", EventCode=4726, "Account Deletion", EventCode=624, "Account Creation", EventCode=4720, "Account Creation") |transaction user startswith=status="Account Creation" endswith=status="Account Deletion" maxevents=2  | where duration < 3600

This works in my environment.

0 Karma
Reply

somesoni2
Revered Legend
‎07-08-2014 10:44 AM

Try this

sourcetype=WinEventLog:Security (EventCode=630 OR EventCode=4726 OR EventCode=624 OR EventCode=4720) | eval status=case(EventCode=630, "Account Creation", EventCode=4726, "Account Creation", EventCode=624, "Account Deletion", EventCode=4720, "Account Deletion") 
|transaction startswith=status="Account Creation" endswith=status="Account Deletion" maxevents=2 | where duration < X*3600

where X is your hours.

0 Karma
Reply

cdev24
New Member
‎12-24-2015 11:42 AM

But this will not valid for same user who is created and deleted.

Above query is valid for X user account created and Y user account got deleted.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...