index=winsec sourcetype=XmlWinEventLog EventCode=4743 NOT SubjectUserName="Win_Dir"
| bin _time span=5m
| stats values(EventCode) as EventCode, values(signature) as EventCodeDescription, values(TargetUserName) as Computer_user_deleted, values(TargetDomainName) as User_Domain dc(TargetUserName) as computeruser_count by _time SubjectUserName
|rename SubjectUserName as Deleted_by_User
| where computeruser_count > 10
| append [search index=winsec sourcetype=XmlWinEventLog EventCode=4726 NOT (SubjectUserName = "EC_Okta")
| bin _time span=5m
| stats values(EventCode) as EventCode, values(signature) as EventCodeDescription, values(object) as User_account_deleted , dc(object) as User_account_deleted_count by _time, SubjectUserName
| rename SubjectUserName as src_user
| where User_account_deleted_count > 10]
| append [search index=winsec sourcetype=XmlWinEventLog EventCode=4725 NOT (SubjectUserName = "EC_Okta" OR SubjectUserName = "Win_Dir")
| bin _time span=5m
| stats values(EventCode) as EventCode, values(signature) as EventCodeDescription, values(TargetUserName) as disabled_account, values(TargetDomainName) as User_Domain dc(TargetUserName) as disabledaccount_count by _time SubjectUserName
| rename SubjectUserName as src_user
| where disabledaccount_count > 10]

Yes, because the stats is by time and eventId you will get a line for each event type for each minute some events occurred in - you just have to filter by event type and relevant count

| where (eventID="4743" AND count >= 100) OR (eventID= ...) etc.

Hi, @ITWhisperer

 How do we enhance this search  as per the use case ..

index=xyz sourcetype=X
((EventCode=4743 AND NOT TargetUserName="Win")
OR (EventCode=4726 AND NOT TargetUserName="EC")
OR (EventCode=4725 AND (NOT TargetUserName="WinDi" OR TargetUserName="EC_GMS"))
OR (EventCode=4728 AND NOT TargetUserName="None")
)
| stats count, values(signature) as event_detail, values(TargetUserName) as target_name by Computer, EventCode
| where count > 1 AND EventCode=4728
| bin _time span=1m
| where count >= 100

Thanks

index=xyz sourcetype=X
((EventCode=4743 AND NOT TargetUserName="Win")
OR (EventCode=4726 AND NOT TargetUserName="EC")
OR (EventCode=4725 AND (NOT TargetUserName="WinDi" OR TargetUserName="EC_GMS"))
OR (EventCode=4728 AND NOT TargetUserName="None")
)
| bin _time span=1m
| stats count, values(signature) as event_detail, values(TargetUserName) as target_name by _time, Computer, EventCode
| where (count > 1 AND EventCode=4728) OR count >= 100

@ITWhisperer ,

Hi,

In order to find out if and when a member was added to a security group,I have done a search for EventCode=4728. The search returned the following:

08/02/2023 01:10:24 PM

LogName=Security

SourceName=Microsoft Windows security auditing.

EventCode=4728

EventType=0

Type=Information

ComputerName=server1.domainname.com

TaskCategory=Security Group Management

OpCode=Info

RecordNumber=5551234

Keywords=Audit Success

Message=A member was added to a security-enabled global group.

Subject:

Security ID: domainname\jdoe
Account Name: jdoe
Account Domain: domainname
Logon ID: 0x1e3ef1d1
Member:

Security ID: domainname\jdoe
Account Name: CN=John Doe,OU=My Users OU,DC=domainname,DC=com
Group:

Security ID: domainname\Test Users
Group Name: Test Users
Group Domain: domainname
Additional Information:
Privileges: -

Once I viewed this information I changed my search to look like this:

EventCode=4727 |rename Account_Name as Modifier | rename Group_Name as "Modified Group" |table _time, Host, Modifier, "Modified Group", user

My problem is that I don't know how to deal with the two account names when I display the information in a table. The Modifier displays the right information which is the first account name. I would like user to display the information from "Account Name: CN=John Doe,OU=My Users OU,DC=domainname,DC=com" and label it as "Member Added" as that is the member that was added to the Test Users group name.

One way to do this (assuming your raw events are the XML event you showed earlier) is to create the appropriate eval commands and execute them with map - it should be noted that map has a limit to the number of searches to prevent excessive resource usage.

| spath Event.EventData.Data output=EventData
| spath Event.EventData.Data{@Name} output=EventDataName
| eval name_value=mvzip(EventDataName,EventData,"=\"")
| eval name_value=mvmap(name_value,"| eval ".name_value."\"")
| eval name_value=mvjoin(mvappend("| makeresults | eval _raw=\""._raw."\"",name_value),"
")
| map maxsearches=100  search="| makeresults | map search="$name_value$

Not sure what you have posted here - is your event from <event> to </event> and the rest trying to show what fields you have already extracted (complete with field values running into the next field name)?

Please repost in a codeblock (using the </> button to create a block to paste the event into).

Single events are fine - I assume _time has already been set to the event creation time or whatever you need it to be? Or do you need help extracting the event id and time?

Assuming you have the values already extracted, are you just looking for a way to determine if 100 (or more) events (of a particular type) have occurred in the same minute, or somehow determine, for each event, whether 99 of the same event type have occurred in the previous 60 seconds?

@ITWhisperer ,
I have just posted a single event from each of the specific eventcode events.
I need help in creating a correlation search for above scenario like when ever any Ad machines deleted from the AD environment  for 100 events in a minute the alert should triggered like wise user account deletion  and ad machine disabled for 100 events in a minute, and when user added to group it should trigger an alert.
I am looking for a way to determine if 100 (or more) events (of a particular type) have occurred in the same minute.

Thanks

| bin _time span=1m
| stats count by _time eventID

@ITWhisperer 

Hi,

this 

| bin _time span=1m
| stats count by _time eventID

is not working as expected if I go with the last 30 days it is showing results why so ?
then what is the use of bin _time span=1m.

I am not sure I understand the question - your requirement was for counts in the last minute, why are you now talking about 30 days? Are you running the search over the last 30 days? That is an awful lot of minutes!

I opted for a 30-day trial to see if there were any noticeable outcomes. As I dnt see any alerts for the last 30 days!

Are you sure there should have been any? How about if you reduced it to 10 in a minute?

Yes there should be!

I have made a changes to search now I can see the alerts
thanks....