Hello all,
I could use some help here with creating a search. Ultimately I would like to know if a user is added to a specific set of security groups what security groups if any were removed from that same user.
Here is a search for security group removal:
index=wineventlog EventCode=4729 EventCodeDescription="A member was removed from a security-enabled global group" Subject_Account_Name=srv_HiveProvSentryNe OR Subject_Account_Name=srv_HiveProvSentry source="WinEventLog:Security" sourcetype=WinEventLog
| table member, Group_Name, Subject_Account_Name, _time
Here is a search for security group added:
index=wineventlog EventCode=4728 EventCodeDescription="A member was Added to a security-enabled global group" Subject_Account_Name=srv_HiveProvSentryNe OR Subject_Account_Name=srv_HiveProvSentry source="WinEventLog:Security" sourcetype=WinEventLog
| table member, Group_Name, Subject_Account_Name, _time
additional search info:
EventCode=4728 Added
EventCode=4729 Removed
Group_Name - security group
Subject_Account_Name - prov sentry
member - user
security groups, I would like to monitor users being added to:
RDSUSers_GRSQCP01
RDSUSers_GROQCP01
RDSUSers_BRSQCP01
RDSUSers_BROQCP01
RDSUSers_VRSQCP01
RDSUSers_VROQCP01
Again I am looking to monitor if a user was added to any of the above 6 security groups were they within a few hours before and ahead of the event removed from any other groups. let me know if I can provide any additional info and as always thank you for the help.
try below search
EventCode=4728 OR EventCode=4729 Account_Name="*" | stats count by Account_Name user_group signature_id name _time
That didn't work. Also, I don't think you can count by multiple fields.
1. Yes, you can split your count by how many fields you want.
2. "This doesn't work" is not a very constructive comment. Remember that it's you who asks for help.
3.
index=wineventlog EvenCode IN (4728,4729)
This will find all the events where a user was either added or removed to a security-enabled group. That's a start. But you want to find situations if a user was removed from another group and added to one of those you seek. So you want something like this
index=wineventlog ((EventCode=4728 Group_Name IN (RDSUSers_GRSQCP01, RDSUSers_GROQCP01, RDSUSers_BRSQCP01, RDSUSers_BROQCP01, RDSUSers_VRSQCP01, RDSUSers_VROQCP01)) OR (EventCode=4729 NOT Group_Name IN (RDSUSers_GRSQCP01, RDSUSers_GROQCP01, RDSUSers_BRSQCP01, RDSUSers_BROQCP01, RDSUSers_VRSQCP01, RDSUSers_VROQCP01))
Looks a bit uglier, doesn't it. But it will give you all potentially interesting events. Now you have to find if they fit your criteria.
Since we will need to reverse the order of the events (by default Splunk returns events in reverse chronological order which is a bit inconvenient for us here), you might need to only limit further processed data to the relevant fields (but if you have just a bunch of events this is an optional step)
| fields EventCode Group_Name Subject_Account_Name
| fields - _raw
(Notice that I didn't explicitly include _time because it is added by default)
Now we need to sort by _time so the earliest events are processed first
| sort _time
As the default order is a reverse chronological order doing just
| reverse
instead should work as well.
Now we create a field containing timestamp for removal from a group and a name of a group a user was removed from
| eval remstamp=if(EventCode=4729,_time,null())
| eval remgroup=if(EventCode=4729,Group_Name,null())
So now we can do streamstats to see when and from which groups the users were removed
| streamstats last(remstamp) as last_removed last(remgroup) as removed_from by Subject_Account_Name
This will propagate the information of a user's removal from a group to the next event regarding the same user.
Now we need to find matching events. For 3 hours window it will be
| where _time-last_removed<10800
Be aware that it will only find last removal for a given user. Tweaking the streamstats you can probably aggregate all removals but it's too late for me to think about it now 😉