Re: Help needed with Search to correlate Event Log...

moulinjs · ‎05-05-2013

Hello. I would like to create an alert anytime a privileged user account logs in to our domain. I can do separate searches for the information I want, but cannot seem to combine them to check two data sources. I am using Snare agents on Windows which go to a Syslog server that comes in to Splunk on TCP 514. I also have the SA for LDAP searching installed. I can do the following search which gives me logins and it returns just fine: sourcetype=snare_syslog (EventID="528" OR EventID="4624")

I can also do the following search within the ActiveDirectory source and get privileged level account information (we have any privileged level account within a OU named "Elevated": source="ActiveDirectory" distinguishedName=",OU=Elevated," This search provides only results that have a full username associated with a login instead of service accounts or null results.

My issue is...how do I combine these two, so Splunk with see a login, check to see if they are in an Elevated group, and then provide those results? I've tried doing multiple subsearches with no success. Any help would be greatly appreciated! Thank you.

billford · ‎05-05-2013

Look up sub searches. That's how I solved a very similar problem. I'm mobile but can post an example when I'm on a real keyboard.

moulinjs · ‎05-06-2013

Thanks for the response...I've looked up subsearches and have tried many but am not able to get any results. I would appreciate any examples you can provide. I have done many variations of things like: sourcetype=snare_syslog (EventID="528" OR EventID="4624") [search source="ActiveDirectory" distinguishedName=",OU=Elevated,"] and haven't had any luck.

Help needed with Search to correlate Event Logs with Active Directory OU

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM