Splunk Search

How do I search for exact sequence of events?

kelvinJE
Engager

Hi All

Wondering if anybody can assist. We're logging privilege user activity (GUI interactions etc) and looking to identify when a certain sequence occurs.

We have data such as the following:

Time    |   User   |   Action
10:00     Joe         Copied To Clipboard (Sensitive Data)
10:01     Ben         Copied To Clipboard (Normal Data)
10:01     Ben         Pasted From Clipboard
10:01     Joe         Copied To Clipboard (Normal Data)
10:02     Joe         Pasted From Clipboard
10:03     Joe         Copied To Clipboard (Sensitive Data)
10:04     Joe         Pasted From Clipboard
10:06     Joe         Copied To Clipboard (Normal Data)
10:07     Joe         Pasted From Clipboard

We're only interested in knowing when Sensitive data is copied, then pasted. So exact sequence of Joe's actions above at 10:03 and 10:04. If Sensitive data is copied, but then overwritten such as Joes actions 10:00, 10:01 and 10:02 then its ignored

I've toyed with Transactions for this, but I'm a newb and a bit out of my depth:

 index=privillege_user_actions
 | SORT time
 | transaction user startswith="Copied To Clipboard (Sensitive Data)" endswith="Pasted From Clipboard"

Could anybody recommend a query for doing this?

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Your last query looks good, except for the sort. Events are returned in reverse time order automatically and transaction requires events be in that order so sorting won't help in this instance.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Your last query looks good, except for the sort. Events are returned in reverse time order automatically and transaction requires events be in that order so sorting won't help in this instance.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

kelvinJE
Engager

A slight amendment, which I think is on the right tracks and returns some data, but I'm not sure it's correct:

index=privillege_user_actions
  | SORT time
  | transaction user startswith="Copied To Clipboard (Sensitive Data)" endswith="Pasted From Clipboard"
| where eventcount=2

But I'd be really grateful for any assistance on this.

0 Karma

adonio
Ultra Champion

try this:

index=privillege_user_actions
transaction user startswith="Copied To Clipboard (Sensitive Data)" endswith="Pasted From Clipboard" maxevents=2
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!