Disclaimer: I know the search below is ugly, its based on several examples including the exploring splunk book. I was trying to get an example from splunk .conf working http://www.mensk.com/detecting-bank-accounts-takeover-fraud-cyberattacks-with-splunk-part3-the-advan... but failed miserably.
I have scenario 1 working (below) it is just really expensive. Even if I can just improve performance on that, it would be a big help.
The search below works, however I need to compare this results against 2 other searches (
Compare Returned IPs against IPs used by different groups last 30 days:
index=pssql sourcetype=logins IPAddress=(questionable_IP) | eval iDate=strftime(_time, "%m/%d/%Y") | stats values(Group_Name) values(User_Name) values(iDate) by IPAddress
Compare returned Account Number against Account Numbers used last 30 days by different groups:
index=pssql sourcetype=UserActivity Account_Number=(questionable_account)
index=pssql sourcetype=UserActivity Message="Admin Function*" earliest=-2d latest=now | eval iDate=strftime(_time, "%m/%d/%Y %H:%M:%S") | stats values(IPAddress) as lastIP values(Message) as iMessage values(iDate) as iDate values(Account_Number) as Account_Number values(Routing_Number) as Routing_Number by Group_Name | sort lastIP | append [ search index=pssql sourcetype=logins earliest=-30d latest=-2d | eval aDate=strftime(_time, "%m/%d/%Y") | eval dateIP=IPAddress." - ".aDate | stats values(IPAddress) as PreviousIPs values(User_Name) as User_Name dc(IPAddress) as ipCount values(dateIP) as dateIP by Group_Name | where ipCount>1 | fields PreviousIPs,User_Name,ipCount,PrevTime,Group_Name,_time,dateIP ] | stats values(lastIP) as lastIP dc(lastIP) as lastIPCount values(User_Name) as User_Name values(dateIP) as dateIP values(iMessage) as iMessage values(PreviousIPs) as PreviousIPs dc(PreviousIPs) as prevIPCount values(Account_Number) as Account_Number values(iDate) as iDate values(Routing_Number) as Routing_Number by Group_Name | where lastIPCount>0 AND prevIPCount>0 | sort lastIP | eval Match=if(lastIP!=PreviousIPs,"NO","YES") | where Match="NO" | table Group_Name, User_Name, iDate, lastIP, dateIP, Routing_Number, Account_Number
Here is a skeleton of how, I think this could work without subsearches. NOt sure I understand the 3 scenario, so this is only for 1&2. This is to only get you started...
index=pssql (sourcetype=UserActivity Message="Admin Function*") OR sourcetype=logins earliest=-30d latest=-2d | eventstats earliest(_time) as previous latest(_time) as current by group_name ip | eval seenbefore=if(current<=relative_time(now(), "-2d@d"), "yes", "no") | eventstats values(eval(if(seenbefore="no", group_name", null())) as groupsusingip by ip
I think this should give you, for each event, if it was seenbefore, if not, groups using the ip. Hopefully, I'm not waay off base 🙂