Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I search for exact sequence of events?

kelvinJE
Engager
‎09-10-2018 02:48 PM

Hi All

Wondering if anybody can assist. We're logging privilege user activity (GUI interactions etc) and looking to identify when a certain sequence occurs.

We have data such as the following:

Time    |   User   |   Action
10:00     Joe         Copied To Clipboard (Sensitive Data)
10:01     Ben         Copied To Clipboard (Normal Data)
10:01     Ben         Pasted From Clipboard
10:01     Joe         Copied To Clipboard (Normal Data)
10:02     Joe         Pasted From Clipboard
10:03     Joe         Copied To Clipboard (Sensitive Data)
10:04     Joe         Pasted From Clipboard
10:06     Joe         Copied To Clipboard (Normal Data)
10:07     Joe         Pasted From Clipboard

We're only interested in knowing when Sensitive data is copied, then pasted. So exact sequence of Joe's actions above at 10:03 and 10:04. If Sensitive data is copied, but then overwritten such as Joes actions 10:00, 10:01 and 10:02 then its ignored

I've toyed with Transactions for this, but I'm a newb and a bit out of my depth:

 index=privillege_user_actions
 | SORT time
 | transaction user startswith="Copied To Clipboard (Sensitive Data)" endswith="Pasted From Clipboard"

Could anybody recommend a query for doing this?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-11-2018 04:31 AM

Your last query looks good, except for the sort. Events are returned in reverse time order automatically and transaction requires events be in that order so sorting won't help in this instance.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-11-2018 04:31 AM

Your last query looks good, except for the sort. Events are returned in reverse time order automatically and transaction requires events be in that order so sorting won't help in this instance.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

kelvinJE
Engager
‎09-10-2018 03:08 PM

A slight amendment, which I think is on the right tracks and returns some data, but I'm not sure it's correct:

index=privillege_user_actions
  | SORT time
  | transaction user startswith="Copied To Clipboard (Sensitive Data)" endswith="Pasted From Clipboard"
| where eventcount=2

But I'd be really grateful for any assistance on this.

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎09-11-2018 05:51 AM

try this:

index=privillege_user_actions
transaction user startswith="Copied To Clipboard (Sensitive Data)" endswith="Pasted From Clipboard" maxevents=2
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...