Splunk Search

How to Find new users in the last 24 hours and see if they were subsequently added to two groups?

jdtokenring
Engager

Greetings!

I have been googling, pluralsighting, reading splunk docs and I am extremely new to splunk. I did search the community and didnt find something close enough to what I need. So I am asking if anyone here has an idea of how I can find newly created users and then check if there are also any events that would signify those users were added to one of two groups.

So far what I have is not working 🙂 I cant figure out how to take the result set from the first search and fire off a second search (like a foreach) or if i am even thinking about that right. I was thinking using the fields command would do it, I have also tried to use "return" - 

index=wineventlog source="wineventlog:security" eventcode=4720 | fields user_principal_name | search index=wineventlog source="wineventlog:security" eventcode in (4732,4728) "group1" OR "group2"

I don't get errors but i can break the first query up and it works, I am not sure on how to take that result and pass it to the second. Most examples feature lookups and if that is the best way awesome. I am looking for technique tips as well as search construction help.

Thank you in advance!

Labels (4)
Tags (1)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

Generally the way to join two or more sets of data together in Splunk is to search for all data that you want to look for and then collapse data according to useful criteria then test results.

What you appear to be looking for here is any users created (4720) and then those users added to groups (4728/4732).

So, what you would do is to look for ANY 4720,4728,4732 and then test that there are both 4720 AND one or other the group additions for that user. So...

index=wineventlog source="wineventlog:security" eventcode in (4720,4732,4728)
| stats values(eventcode) as eventcodes by user_principal_name
| where eventcodes=4720 AND mvcount(eventcodes)>1

this is saying 

  • search to find all events with one of the 3 possible eventcodes
  • collect all the eventcodes found for each of the user_principlal_name values
  • test that one of the values is 4720 AND there is at least ONE other of the wanted codes

This assumes that user_principal_name exists in events for each of the eventcodes. Also in your search you have "group1" OR "group2" - not sure if you are trying to find specific groups here, but if so, you can also do something like this in your search

index=wineventlog source="wineventlog:security" eventcode in (4720,4732,4728)
| stats values(eventcode) as eventcodes values(groups) as groups by user_principal_name
| where eventcodes=4720 AND mvcount(eventcodes)>1 AND (groups="group1" OR groups="group2")

which is collecting the groups (if any) to the collected stats and then in the last line, testing if those collected groups have one of the desired groups.

The stats function is key in the 'joining' process of your data and this is a typical Splunk construct.

Technically this assumes that it is impossible for a user to be added to a group _before_ it is created, so does not time checking to see that the group addition events come _after_ the creation.

It also assumes that the field names being used are as defined above, adjust as needed.

The values(X) command in stats will collect all the distinct values found for a field

Hope this helps

 

 

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

Generally the way to join two or more sets of data together in Splunk is to search for all data that you want to look for and then collapse data according to useful criteria then test results.

What you appear to be looking for here is any users created (4720) and then those users added to groups (4728/4732).

So, what you would do is to look for ANY 4720,4728,4732 and then test that there are both 4720 AND one or other the group additions for that user. So...

index=wineventlog source="wineventlog:security" eventcode in (4720,4732,4728)
| stats values(eventcode) as eventcodes by user_principal_name
| where eventcodes=4720 AND mvcount(eventcodes)>1

this is saying 

  • search to find all events with one of the 3 possible eventcodes
  • collect all the eventcodes found for each of the user_principlal_name values
  • test that one of the values is 4720 AND there is at least ONE other of the wanted codes

This assumes that user_principal_name exists in events for each of the eventcodes. Also in your search you have "group1" OR "group2" - not sure if you are trying to find specific groups here, but if so, you can also do something like this in your search

index=wineventlog source="wineventlog:security" eventcode in (4720,4732,4728)
| stats values(eventcode) as eventcodes values(groups) as groups by user_principal_name
| where eventcodes=4720 AND mvcount(eventcodes)>1 AND (groups="group1" OR groups="group2")

which is collecting the groups (if any) to the collected stats and then in the last line, testing if those collected groups have one of the desired groups.

The stats function is key in the 'joining' process of your data and this is a typical Splunk construct.

Technically this assumes that it is impossible for a user to be added to a group _before_ it is created, so does not time checking to see that the group addition events come _after_ the creation.

It also assumes that the field names being used are as defined above, adjust as needed.

The values(X) command in stats will collect all the distinct values found for a field

Hope this helps

 

 

jdtokenring
Engager

thank you! that really helps and I appreciate the explanation!

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...