Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to Find new users in the last 24 hours and see if they were subsequently added to two groups?

jdtokenring
Engager
‎08-16-2023 03:07 PM

Greetings!

I have been googling, pluralsighting, reading splunk docs and I am extremely new to splunk. I did search the community and didnt find something close enough to what I need. So I am asking if anyone here has an idea of how I can find newly created users and then check if there are also any events that would signify those users were added to one of two groups.

So far what I have is not working 🙂 I cant figure out how to take the result set from the first search and fire off a second search (like a foreach) or if i am even thinking about that right. I was thinking using the fields command would do it, I have also tried to use "return" - 

index=wineventlog source="wineventlog:security" eventcode=4720 | fields user_principal_name | search index=wineventlog source="wineventlog:security" eventcode in (4732,4728) "group1" OR "group2"

I don't get errors but i can break the first query up and it works, I am not sure on how to take that result and pass it to the second. Most examples feature lookups and if that is the best way awesome. I am looking for technique tips as well as search construction help.

Thank you in advance!

Labels (4)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-16-2023 04:04 PM

Generally the way to join two or more sets of data together in Splunk is to search for all data that you want to look for and then collapse data according to useful criteria then test results.

What you appear to be looking for here is any users created (4720) and then those users added to groups (4728/4732).

So, what you would do is to look for ANY 4720,4728,4732 and then test that there are both 4720 AND one or other the group additions for that user. So...

index=wineventlog source="wineventlog:security" eventcode in (4720,4732,4728)
| stats values(eventcode) as eventcodes by user_principal_name
| where eventcodes=4720 AND mvcount(eventcodes)>1

this is saying 

  • search to find all events with one of the 3 possible eventcodes
  • collect all the eventcodes found for each of the user_principlal_name values
  • test that one of the values is 4720 AND there is at least ONE other of the wanted codes

This assumes that user_principal_name exists in events for each of the eventcodes. Also in your search you have "group1" OR "group2" - not sure if you are trying to find specific groups here, but if so, you can also do something like this in your search

index=wineventlog source="wineventlog:security" eventcode in (4720,4732,4728)
| stats values(eventcode) as eventcodes values(groups) as groups by user_principal_name
| where eventcodes=4720 AND mvcount(eventcodes)>1 AND (groups="group1" OR groups="group2")

which is collecting the groups (if any) to the collected stats and then in the last line, testing if those collected groups have one of the desired groups.

The stats function is key in the 'joining' process of your data and this is a typical Splunk construct.

Technically this assumes that it is impossible for a user to be added to a group _before_ it is created, so does not time checking to see that the group addition events come _after_ the creation.

It also assumes that the field names being used are as defined above, adjust as needed.

The values(X) command in stats will collect all the distinct values found for a field

Hope this helps

 

 

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-16-2023 04:04 PM

Generally the way to join two or more sets of data together in Splunk is to search for all data that you want to look for and then collapse data according to useful criteria then test results.

What you appear to be looking for here is any users created (4720) and then those users added to groups (4728/4732).

So, what you would do is to look for ANY 4720,4728,4732 and then test that there are both 4720 AND one or other the group additions for that user. So...

index=wineventlog source="wineventlog:security" eventcode in (4720,4732,4728)
| stats values(eventcode) as eventcodes by user_principal_name
| where eventcodes=4720 AND mvcount(eventcodes)>1

this is saying 

  • search to find all events with one of the 3 possible eventcodes
  • collect all the eventcodes found for each of the user_principlal_name values
  • test that one of the values is 4720 AND there is at least ONE other of the wanted codes

This assumes that user_principal_name exists in events for each of the eventcodes. Also in your search you have "group1" OR "group2" - not sure if you are trying to find specific groups here, but if so, you can also do something like this in your search

index=wineventlog source="wineventlog:security" eventcode in (4720,4732,4728)
| stats values(eventcode) as eventcodes values(groups) as groups by user_principal_name
| where eventcodes=4720 AND mvcount(eventcodes)>1 AND (groups="group1" OR groups="group2")

which is collecting the groups (if any) to the collected stats and then in the last line, testing if those collected groups have one of the desired groups.

The stats function is key in the 'joining' process of your data and this is a typical Splunk construct.

Technically this assumes that it is impossible for a user to be added to a group _before_ it is created, so does not time checking to see that the group addition events come _after_ the creation.

It also assumes that the field names being used are as defined above, adjust as needed.

The values(X) command in stats will collect all the distinct values found for a field

Hope this helps

 

 

Reply
Solved! Jump to solution

jdtokenring
Engager
‎08-17-2023 06:20 AM

thank you! that really helps and I appreciate the explanation!

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...