Splunk Search

Account Creation And Deletion within a given time

Contributor

Hello, I'm trying to create a query to monitor when users create accounts and then within a given time window delete the account.

I've got this so far:

sourcetype=WinEventLog:Security (EventCode=630 OR EventCode=4726 OR EventCode=624 OR EventCode=4720) | eval status=case(EventCode=630, "Account Creation", EventCode=4726, "Account Creation", EventCode=624, "Account Deletion", EventCode=4720, "Account Deletion") |

The Pseudo code for what I'm looking for would be:

. . . | where Account Creation AND Account Deletion occur within x hours

Thanks!

Tags (4)
0 Karma

Path Finder

Here with the modified one

index=wineventlog (EventCode=630 OR EventCode=4726 OR EventCode=624 OR EventCode=4720) |rex field=raw "(?ms)^(?P\d+\S+\s\S*\s\w+)" | eval status=case(EventCode=630, "Account Deletion", EventCode=4726, "Account Deletion", EventCode=624, "Account Creation", EventCode=4720, "Account Creation") |transaction user startswith=status="Account Creation" endswith=status="Account Deletion" maxevents=2 | where duration < 86400 | eval AccountCreatedTime=mvindex(time,0)|eval
Account
DeletedTime=mvindex(time,1) |eval CreatedAccountEventCode =mvindex(EventCode,0)|eval DeletedAccountEventCode =mvindex(EventCode,1)|eval AccountCreatedBy =mvindex(srcuser,0)|eval AccountDeletedBy=mvindex(srcuser,1) | table AccountCreatedTime AccountCreatedBy CreatedAccountEventCode user
Account
DeletedTime DeletedAccountEventCode AccountDeletedBy | eval AccountDeletedBy=if(isnull(AccountDeletedBy),AccountCreatedBy,AccountDeletedBy) | Rename user as AccountCreatedAndDeleted |

Path Finder

Modified query

index=wineventlog (EventCode=630 OR EventCode=4726 OR EventCode=624 OR EventCode=4720) |rex field=raw "(?ms)^(?P\d+\S+\s\S*\s\w+)" | eval status=case(EventCode=630, "Account Deletion", EventCode=4726, "Account Deletion", EventCode=624, "Account Creation", EventCode=4720, "Account Creation") |transaction user startswith=status="Account Creation" endswith=status="Account Deletion" maxevents=2 | where duration < 86400 | eval AccountCreatedTime=mvindex(time,0)|eval AccountDeletedTime=mvindex(time,1) |eval CreatedAccountEventCode =mvindex(EventCode,0)|eval DeletedAccountEventCode =mvindex(EventCode,1)|eval AccountCreatedBy =mvindex(srcuser,0)|eval AccountDeletedBy=mvindex(srcuser,1) | table AccountCreatedTime AccountCreatedBy CreatedAccountEventCode user AccountDeletedTime DeletedAccountEventCode AccountDeletedBy | eval AccountDeletedBy=if(isnull(AccountDeletedBy),AccountCreatedBy,AccountDeletedBy) | Rename user as AccountCreatedAndDeleted |

0 Karma

Explorer

Hello, I've got one right here for ya!

sourcetype=WinEventLog:Security (EventCode=630 OR EventCode=4726 OR EventCode=624 OR EventCode=4720) | eval status=case(EventCode=630, "Account Deletion", EventCode=4726, "Account Deletion", EventCode=624, "Account Creation", EventCode=4720, "Account Creation") |transaction user startswith=status="Account Creation" endswith=status="Account Deletion" maxevents=2  | where duration < 3600

I've tested it and get correct results.

0 Karma

Explorer

Hello,

So the event codes were improperly associated with the event descriptions, fixed that.

sourcetype=WinEventLog:Security (EventCode=630 OR EventCode=4726 OR EventCode=624 OR EventCode=4720) | eval status=case(EventCode=630, "Account Deletion", EventCode=4726, "Account Deletion", EventCode=624, "Account Creation", EventCode=4720, "Account Creation") |transaction user startswith=status="Account Creation" endswith=status="Account Deletion" maxevents=2  | where duration < 3600

This works in my environment.

0 Karma

SplunkTrust
SplunkTrust

Try this

sourcetype=WinEventLog:Security (EventCode=630 OR EventCode=4726 OR EventCode=624 OR EventCode=4720) | eval status=case(EventCode=630, "Account Creation", EventCode=4726, "Account Creation", EventCode=624, "Account Deletion", EventCode=4720, "Account Deletion") 
|transaction startswith=status="Account Creation" endswith=status="Account Deletion" maxevents=2 | where duration < X*3600

where X is your hours.

0 Karma

New Member

But this will not valid for same user who is created and deleted.

Above query is valid for X user account created and Y user account got deleted.

0 Karma