Splunk Search

How to limit transactions to only correlate events on same domain

rvalley
New Member

I am searching for AD accounts that are created and deleted in a short period, but we have a multiple forest environment, and as a result, when an account is created on domain A with the same ID as an account deleted on domain B, it correlates those events. I need to limit my transaction to only correlate events that occur on the same domain.

Current search is as follows:

index=wineventlog sourcetype=wineventlog (EventCode=630 OR EventCode=4726 OR EventCode=624 OR EventCode=4720)  (Account_Domain=a OR Account_Domain=b OR Account_Domain=c)
| transaction user startswith=status="Account Creation" endswith=status="Account Deletion" maxevents=2 

In other words, I am trying to add a way to the above search so it only reports a short term account where the account creation domain = account deletion domain. Any help is much appreciated!

0 Karma

to4kawa
Ultra Champion
index=wineventlog sourcetype=wineventlog (EventCode=630 OR EventCode=4726 OR EventCode=624 OR EventCode=4720)  (Account_Domain=a OR Account_Domain=b OR Account_Domain=c)
| reverse
| streamstats count(eval(status="Account Deletion")) as session_id by user
| eval AcctDm=case(match(Account_Domain,"a") ,"Domain_A", match(Account_Domain,"b"),"Domain B", match(Domain,"c"), "Domain C"
| stats count by AcctDm user session_id

Hi,
Is this the same result?

0 Karma

BainM
Communicator

Something like this:
index=wineventlog sourcetype=wineventlog (EventCode=630 OR EventCode=4726 OR EventCode=624 OR EventCode=4720) (Account_Domain=a OR Account_Domain=b OR Account_Domain=c)
| transaction user startswith=status="Account Creation" endswith=status="Account Deletion" maxevents=2
| eval AcctDm=case(match(Account_Domain,"a") ,"Domain_A", match(Account_Domain,"b"),"Domain B", match(Domain,"c"), "Domain C"
| stats count by AcctDm user

Hope this helps,
Mike

0 Karma

rvalley
New Member

Hey Mike - I appreciate the response. I have tried with similar case matching, but haven't had success generating results. I am worried that since the transaction will list 2 account domains for one result, the grouping through results will have inflated results (i.e. result has domain a and domain b listed, domain a and domain b will both receive a count for that one row).

0 Karma

aberkow
Builder

I don't have a ton of experience with transactions, but can't you just add Account_Domain as one of your transaction groupby fields?

| transaction user Account_Domain... looks like that's possible based on this https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Transaction

0 Karma

rvalley
New Member

Hey, thanks for the response! Unfortunately, adding an extra group by field doesn't seem to do the trick -- still getting the multiple domains.

0 Karma
Get Updates on the Splunk Community!

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...

Want a chance to win $500 to the Splunk shop? Take our IT Incident Management Survey!

  Top Trends & Best Practices in Incident ManagementSplunk is partnering up with Constellation Research to ...