Splunk Search

How to limit transactions to only correlate events on same domain

rvalley
New Member

I am searching for AD accounts that are created and deleted in a short period, but we have a multiple forest environment, and as a result, when an account is created on domain A with the same ID as an account deleted on domain B, it correlates those events. I need to limit my transaction to only correlate events that occur on the same domain.

Current search is as follows:

index=wineventlog sourcetype=wineventlog (EventCode=630 OR EventCode=4726 OR EventCode=624 OR EventCode=4720)  (Account_Domain=a OR Account_Domain=b OR Account_Domain=c)
| transaction user startswith=status="Account Creation" endswith=status="Account Deletion" maxevents=2 

In other words, I am trying to add a way to the above search so it only reports a short term account where the account creation domain = account deletion domain. Any help is much appreciated!

0 Karma

to4kawa
Ultra Champion
index=wineventlog sourcetype=wineventlog (EventCode=630 OR EventCode=4726 OR EventCode=624 OR EventCode=4720)  (Account_Domain=a OR Account_Domain=b OR Account_Domain=c)
| reverse
| streamstats count(eval(status="Account Deletion")) as session_id by user
| eval AcctDm=case(match(Account_Domain,"a") ,"Domain_A", match(Account_Domain,"b"),"Domain B", match(Domain,"c"), "Domain C"
| stats count by AcctDm user session_id

Hi,
Is this the same result?

0 Karma

BainM
Communicator

Something like this:
index=wineventlog sourcetype=wineventlog (EventCode=630 OR EventCode=4726 OR EventCode=624 OR EventCode=4720) (Account_Domain=a OR Account_Domain=b OR Account_Domain=c)
| transaction user startswith=status="Account Creation" endswith=status="Account Deletion" maxevents=2
| eval AcctDm=case(match(Account_Domain,"a") ,"Domain_A", match(Account_Domain,"b"),"Domain B", match(Domain,"c"), "Domain C"
| stats count by AcctDm user

Hope this helps,
Mike

0 Karma

rvalley
New Member

Hey Mike - I appreciate the response. I have tried with similar case matching, but haven't had success generating results. I am worried that since the transaction will list 2 account domains for one result, the grouping through results will have inflated results (i.e. result has domain a and domain b listed, domain a and domain b will both receive a count for that one row).

0 Karma

aberkow
Builder

I don't have a ton of experience with transactions, but can't you just add Account_Domain as one of your transaction groupby fields?

| transaction user Account_Domain... looks like that's possible based on this https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Transaction

0 Karma

rvalley
New Member

Hey, thanks for the response! Unfortunately, adding an extra group by field doesn't seem to do the trick -- still getting the multiple domains.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...