Splunk Search

How do I search for exact sequence of events?

kelvinJE
Engager

Hi All

Wondering if anybody can assist. We're logging privilege user activity (GUI interactions etc) and looking to identify when a certain sequence occurs.

We have data such as the following:

Time    |   User   |   Action
10:00     Joe         Copied To Clipboard (Sensitive Data)
10:01     Ben         Copied To Clipboard (Normal Data)
10:01     Ben         Pasted From Clipboard
10:01     Joe         Copied To Clipboard (Normal Data)
10:02     Joe         Pasted From Clipboard
10:03     Joe         Copied To Clipboard (Sensitive Data)
10:04     Joe         Pasted From Clipboard
10:06     Joe         Copied To Clipboard (Normal Data)
10:07     Joe         Pasted From Clipboard

We're only interested in knowing when Sensitive data is copied, then pasted. So exact sequence of Joe's actions above at 10:03 and 10:04. If Sensitive data is copied, but then overwritten such as Joes actions 10:00, 10:01 and 10:02 then its ignored

I've toyed with Transactions for this, but I'm a newb and a bit out of my depth:

 index=privillege_user_actions
 | SORT time
 | transaction user startswith="Copied To Clipboard (Sensitive Data)" endswith="Pasted From Clipboard"

Could anybody recommend a query for doing this?

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Your last query looks good, except for the sort. Events are returned in reverse time order automatically and transaction requires events be in that order so sorting won't help in this instance.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Your last query looks good, except for the sort. Events are returned in reverse time order automatically and transaction requires events be in that order so sorting won't help in this instance.

---
If this reply helps you, Karma would be appreciated.
0 Karma

kelvinJE
Engager

A slight amendment, which I think is on the right tracks and returns some data, but I'm not sure it's correct:

index=privillege_user_actions
  | SORT time
  | transaction user startswith="Copied To Clipboard (Sensitive Data)" endswith="Pasted From Clipboard"
| where eventcount=2

But I'd be really grateful for any assistance on this.

0 Karma

adonio
Ultra Champion

try this:

index=privillege_user_actions
transaction user startswith="Copied To Clipboard (Sensitive Data)" endswith="Pasted From Clipboard" maxevents=2
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...