Hi
need your support Splunkers
I Want to search user created and deleted in 10 minutes.
so i am starting the search like this:
index=windows_auth EventID=4720 AND EventID=4726
Then I just got stuck, no matter what I tried.
I need a data when these 2 events occur during 10 minutes on the same username.
Thanks for your help !
Hi @shlomihertzberg ,
This works, but I guess there are smarter ways:
index=windows_auth EventID=4720 OR EventID=4726
| dedup EventID, User
| stats count by User
| where count>1
| fields - count
The dedup is just for the (I guess) rare case where a User is being created and/or deleted more than just 1 time within 10 minutes.
Now you just have to put your search to a 10 minute timeframe.
Edit 22/6: Needs to be "OR" in the first line instead of "AND" of course 🤐 (thx @isoutamo)
HI @rnowitzki
Thank you very much for your goodwill.
Unfortunately it does not give any results.
But I will keep trying.
Thank you!
Hi
try to change AND to OR in this as otherwise it find only events which has both values in the same event which is impossible. With OR it found both separate events and if those exists within 10 min then it “alerts”.
r. Ismo
Since you are filtering data down so well, this could be a case for the "transaction" command.
index=windows_auth EventID=4720 AND EventID=4726
| transaction maxspan=10m maxpause=10m startswith=EventID=4720 endswith=EventID=4726 username
I don't know for sure they are in the right order (startswith vs. endswith), and you'll need to adjust field "username" to what you need to hook 'em up on.
But what pops out the other end should be your list.
There's other options to the transaction command, too. See the docs!