Splunk Search

Create alert for multiple server login search

emasiello
New Member

I need an alert that notifies me when the SAME Account_Name logs into 2 specific hosts within the same 30 minute window. I'd like to see the events grouped by Account_Name. We auth with AD. Not sure the best way to do this. Logically, it works, but I only see events from the bracketed [search]. Any help would be appreciated. Thank you.
Here's what I have so far:

index=wineventlog earliest=-30m latest=now source="WinEventLog:Security" (src_ip="10.14.111.60")
| join Account_Name
[ search index=wineventlog earliest=-30m latest=now source="WinEventLog:Security" (src_ip="10.13.111.60")  ]
0 Karma

nickhills
Ultra Champion

First build a search which identifies your logon events.

index=wineventlog source="WinEventLog:Security" EventID=4624 earliest=-30m latest=now

Then count the number of distinct Account_Names that logged in
|stats dc(Account_Name)
That tells you how many unique users logged in in the last 30 minutes - nice, but not quite what you are after.

Expand your search to give you how many users logged in to each host
|stats dc(Account_Name) by host
Now you can see how many users logged into each host - better, but still not quite there...

Lets see how many distinct users logged into distinct hosts
|stats dc(Account_Name) dc(host) by Account_Name,host
Thats looking better, now to tidy it up..

Just limit it to users who have logged into >1 host.
|stats dc(Account_Name) as users dc(host) as hosts by Account_Name,host|where hosts>1|table Account_Name host

Your final query is then:

index=wineventlog source="WinEventLog:Security" EventID=4624 earliest=-30m latest=now
|stats dc(Account_Name) as users dc(host) as hosts by Account_Name,host
|where hosts>1
|table Account_Name host
If my comment helps, please give it a thumbs up!
0 Karma

sumanssah
Communicator

Minor correction 🙂

 index=wineventlog source="WinEventLog:Security" EventID=4624 earliest=-30m latest=now
     |stats dc(host) as hosts values(host) as host_name by Account_Name
     |where hosts>1
0 Karma

Richfez
SplunkTrust
SplunkTrust

Moved to an answer, I think it's very possibly a good answer, so let's give @emasiello@fhlb-of.com a chance to accept it. 🙂

If instead we need a bit of back and forth, well, comment-away!

0 Karma

emasiello
New Member

Thanks. This is mostly what I need. I'm querying AD for the auth. So, I need (src_ip=10.13.111.60 OR src_ip=10.14.111.60) in there. The alert needs to tell me when there's an authentication for both src_ip's. The query part works. Now I need to only generate output when both src_ip's are logged.

It's something like this:
index=wineventlog source="WinEventLog:Security" EventCode=4624 (src_ip=10.13.111.60 OR src_ip=10.14.111.60) | stats dc(Account_Name) dc(src_ip) by Account_Name [[[[ where the number in the src_ip column equals 2 ]]]]

I cannot get syntax for this last part. Thank you.

0 Karma

Richfez
SplunkTrust
SplunkTrust

You only need one of either dc(Account_Name) or by Account_Name to get that stats right, but you'll want the by Account_Name because it'll do what you need better. They you'll just have a where (or in this case, search would be fine*) after it.

index=wineventlog source="WinEventLog:Security" EventCode=4624 (src_ip=10.13.111.60 OR src_ip=10.14.111.60) 
| stats dc(src_ip) AS distinct_sources BY Account_Name 
| where distinct_sources > 1

That should do it.

Or change it to a search -

index=wineventlog source="WinEventLog:Security" EventCode=4624 (src_ip=10.13.111.60 OR src_ip=10.14.111.60) 
| stats dc(src_ip) AS distinct_sources BY Account_Name 
| search distinct_sources > 1
  • The main difference between search and where is that where lets you compare two fields, like where distinct_sources > myOtherfield, and search only searches one field against a string/constant/whatever. In this case, you are just searching for greater than some number, so...

Which brings up the time you'd need where - if you were to set a threshold (which isn't really that useful in this simple case, but can be useful in more complex ones), you could do something like

index=wineventlog source="WinEventLog:Security" EventCode=4624 (src_ip=10.13.111.60 OR src_ip=10.14.111.60) 
| stats dc(src_ip) AS distinct_sources BY Account_Name 
| eval threshold_of_badness = 2
| where distinct_sources >= threshold_of_badness
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...