I need an alert that notifies me when the SAME Account_Name logs into 2 specific hosts within the same 30 minute window. I'd like to see the events grouped by Account_Name. We auth with AD. Not sure the best way to do this. Logically, it works, but I only see events from the bracketed [search]. Any help would be appreciated. Thank you.
Here's what I have so far:
index=wineventlog earliest=-30m latest=now source="WinEventLog:Security" (src_ip="10.14.111.60")
| join Account_Name
[ search index=wineventlog earliest=-30m latest=now source="WinEventLog:Security" (src_ip="10.13.111.60") ]
First build a search which identifies your logon events.
index=wineventlog source="WinEventLog:Security" EventID=4624 earliest=-30m latest=now
Then count the number of distinct Account_Names that logged in
|stats dc(Account_Name)
That tells you how many unique users logged in in the last 30 minutes - nice, but not quite what you are after.
Expand your search to give you how many users logged in to each host
|stats dc(Account_Name) by host
Now you can see how many users logged into each host - better, but still not quite there...
Lets see how many distinct users logged into distinct hosts
|stats dc(Account_Name) dc(host) by Account_Name,host
Thats looking better, now to tidy it up..
Just limit it to users who have logged into >1 host.
|stats dc(Account_Name) as users dc(host) as hosts by Account_Name,host|where hosts>1|table Account_Name host
Your final query is then:
index=wineventlog source="WinEventLog:Security" EventID=4624 earliest=-30m latest=now
|stats dc(Account_Name) as users dc(host) as hosts by Account_Name,host
|where hosts>1
|table Account_Name host
Minor correction 🙂
index=wineventlog source="WinEventLog:Security" EventID=4624 earliest=-30m latest=now
|stats dc(host) as hosts values(host) as host_name by Account_Name
|where hosts>1
Moved to an answer, I think it's very possibly a good answer, so let's give @emasiello@fhlb-of.com a chance to accept it. 🙂
If instead we need a bit of back and forth, well, comment-away!
Thanks. This is mostly what I need. I'm querying AD for the auth. So, I need (src_ip=10.13.111.60 OR src_ip=10.14.111.60) in there. The alert needs to tell me when there's an authentication for both src_ip's. The query part works. Now I need to only generate output when both src_ip's are logged.
It's something like this:
index=wineventlog source="WinEventLog:Security" EventCode=4624 (src_ip=10.13.111.60 OR src_ip=10.14.111.60) | stats dc(Account_Name) dc(src_ip) by Account_Name [[[[ where the number in the src_ip column equals 2 ]]]]
I cannot get syntax for this last part. Thank you.
You only need one of either dc(Account_Name)
or by Account_Name
to get that stats right, but you'll want the by Account_Name
because it'll do what you need better. They you'll just have a where
(or in this case, search
would be fine*) after it.
index=wineventlog source="WinEventLog:Security" EventCode=4624 (src_ip=10.13.111.60 OR src_ip=10.14.111.60)
| stats dc(src_ip) AS distinct_sources BY Account_Name
| where distinct_sources > 1
That should do it.
Or change it to a search -
index=wineventlog source="WinEventLog:Security" EventCode=4624 (src_ip=10.13.111.60 OR src_ip=10.14.111.60)
| stats dc(src_ip) AS distinct_sources BY Account_Name
| search distinct_sources > 1
search
and where
is that where
lets you compare two fields, like where distinct_sources > myOtherfield
, and search only searches one field against a string/constant/whatever. In this case, you are just searching for greater than some number, so...Which brings up the time you'd need where - if you were to set a threshold (which isn't really that useful in this simple case, but can be useful in more complex ones), you could do something like
index=wineventlog source="WinEventLog:Security" EventCode=4624 (src_ip=10.13.111.60 OR src_ip=10.14.111.60)
| stats dc(src_ip) AS distinct_sources BY Account_Name
| eval threshold_of_badness = 2
| where distinct_sources >= threshold_of_badness