Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I build correlation rule? "Account was created and deleted"

or1515
Loves-to-Learn Everything
‎05-16-2021 07:22 AM

Hi!

 

There is another way to create a query with EventID ("user-created") and then EvendID ("user deleted") in 5 min?

I just want to create a correlation rule with two operations (one after the other) and show display the relevant fields (with the "stats" command).

 

 

Spoiler
index=ph_windows_sec sourcetype=XmlWinEventLog (EventCode=630 OR EventCode=4726 OR EventCode=624 OR EventCode=4720) earliest=-14d | stats values(TargetUserName) as TargetUserName ,values(signature) as Message, count by Caller_User_Name | eval status=case(EventCode=630, \"Account%20Deletion\", EventCode=4726, \"Account%20Deletion\", EventCode=624, \"Account%20Creation\", EventCode=4720, \"Account%20Creation\") | transaction user startswith=status=\"Account%20Creation\" endswith=status=\"Account%20Deletion\" maxevents=2 | where duration < 3600

 

 

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-16-2021 08:21 AM

Hi @or1515,

I usually try to avoid to use transaction command all the times I can, so, please, try something like this:

index=ph_windows_sec sourcetype=XmlWinEventLog (EventCode=630 OR EventCode=4726 OR EventCode=624 OR EventCode=4720) earliest=-14d 
| eval status=case(EventCode=630, "Deletion", EventCode=4726, "Deletion", EventCode=624, "Creation", EventCode=4720, "Creation") 
| stats dc(status) AS dc_status earliest(_time) AS earliest latest(_time) AS latest BY user
| eval duration=latest-earliest
| where duration<3600 AND dc_status=2

Anyway, probably there's and error in your search because you want to use in transaction command the field "user" and in eval command the field "EventCode", but you haven't this fields in the stats command, so they aren't available for the following commands.

Ciao.

Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...