Splunk Search

How do I get the event associated to a fired_alert?

pfabrizi
Path Finder

I run this search: index=_audit action=fired_alert

I get back this which looks like properties of the alert.
Audit:[timestamp=11-08-2017 06:52:57.231, id=35143213, user=admin, action=alert_fired, ss_user="nobody", ss_app="search", ss_name="RDP by GenericID Prod", sid="rt_scheduler_adminsearch_RMD5cf6dac5adc7385e1_at_1510141830_38328.0", alert_actions="email,notable,resilient", severity=3, trigger_time=1510141971, expiration=1510228377, digest_mode=0, triggered_alerts=1][OhxQLHMR0bgxLAaqfsIRoIsoknIp5H1APZ24P4Hm/9FDp8O0VT46WEsP+yLAPbuHYNBkjd8X2/Lu4tVXmqLy+d738KZDjCqFTCu9WcwwILDA97uAfDes/bqw0KamiumItENPlXSQkZIGLfuULHuVoBWOdWrIDF5MMp2y19XsXps=]

The search for the alert looks like this:
index="wineventlog" EventCode=4648 Logon_ID=0x3e7 Process_Name="C:\Windows\System32\winlogon.exe" [ | inputlookup serts-prod.csv | rename genid as user_identity | table user_identity] | eval discovered_date=ceil(_time) * 1000| fields host, user, Account_Domain, discovered_date

How do I get values in the field statement? it should be my username, my workstation and my logon domain.

Thanks!

Tags (1)
0 Karma

akheraj_splunk
Splunk Employee
Splunk Employee

You have the SID of the search that triggered the alert -rt_scheduler_adminsearch_RMD5cf6dac5adc7385e1_at_1510141830_38328.0

Then use one of the endpoints (/services/search/jobs, /services/search/jobs/{search_id}/results) to get the search results using the SID.

0 Karma

pfabrizi
Path Finder

I did this, but not sure this is the best approach.
"search index=_audit action=alert_fired earliest=startingDate latest=endingDate | map search=" |loadjob sid"

I use a starting and ending date so I am only searching on a time frame when the alert happened and not the entire time frame.

I am using the C# SDK, but is what you listed above a more efficient method?

Thanks!

0 Karma
Get Updates on the Splunk Community!

Bridging the Gap: Splunk Helps Students Move from Classroom to Career

The Splunk Community is a powerful network of users, educators, and organizations working together to tackle ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...