Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Ignoring alerts when user has been removed and added back into AD group within an hour?

st1
Explorer
‎12-22-2022 10:00 AM

We currently have an report every morning that shows which users have been removed from a particular AD group from the previous day.

The report sometimes shows too many events. I want to modify it such that if a user has been removed from an AD group and added back in within one hour, then it would be ignored.

Here are examples below. EventCode 4729 is a user getting removed and 4728 is a user getting added.

 

_time MemberSid AD_Group EventCode
2022-12-21 14:48:22 bob Executives 4728
2022-12-21 12:48:22 bob Executives 4729

This would show up in the morning report that bob was removed from the Executives group at 12:48 since its been over an hour since they were added back in.

 

_time MemberSid AD_Group EventCode
2022-12-21 14:38:22 janice Executives 4728
2022-12-21 13:00:22 bob Executives 4728
2022-12-21 12:55:22 dylan Executives 4729
2022-12-21 12:50:22 janice Executives 4729
2022-12-21 12:48:22 bob Executives 4729

Janice and Dylan would show up in the morning report in this case since its been over an hour that Janice was added back in and Dylan was never added back at all.

 

I'm not good with SPL and am having trouble with what command(s) to use so that I can achieve the above.  Below is the search I currently have. The comment indicates what I'm trying to do.

index=oswinsec sourcetype="XmlWinEventLog" EventCode IN (4728,4729) Group_Name="Executives"
| rename Group_Name as AD_Group
| table _time, MemberSid, AD_Group, EventCode
| sort by MemberSid
``` WHERE for a user, if there is eventcode 4729 and no eventcode 4728 following or eventcode 4728 
over a hour later, then keep those events/results. In other words, ignore users with eventcode 4729
and eventcode 4728 within a hour apart.```

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-24-2022 11:45 AM

I hate to do it, but I think this may call for the transaction command.  It's slow and uses a fair amount of memory, but should fill the requirements.

index=oswinsec sourcetype="XmlWinEventLog" EventCode IN (4728,4729) Group_Name="Executives"
| rename Group_Name as AD_Group
| fields _time, MemberSid, AD_Group, EventCode
| sort + _time
| transaction startswith="EventID=4729" endswith="EventID=4728" maxspan=3600 keeporphans=1
| where (duration > 3600 OR _txn_orphan=1)

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-22-2022 10:17 AM

This is a good use for the streamstats command.  Use the range function to get the time difference between events for each user and then display only those with a difference of at least 3600 seconds (1 hour).

index=oswinsec sourcetype="XmlWinEventLog" EventCode IN (4728,4729) Group_Name="Executives"
| rename Group_Name as AD_Group
| fields _time, MemberSid, AD_Group, EventCode
| sort + _time
| streamstats  range(_time) as diff by MemberSid
| where diff > 3600

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

st1
Explorer
‎12-23-2022 05:40 AM

Streamstats seems to be the step in the right direction but I'm still having some issues. The command you gave is calculating the time diff for each time the EventCode changes from 4729 to 4728 or vice versa. I'm only interested in the diff between each pair. Specifically the difference between 4729 to 4728 and I want the time diff to reset on event 4728.

This is what I've tried:

| streamstats range(_time) as diff by MemberSid window=2 global=f reset_after="("EventCode=4728")"
  • I used window=2 because I only want the time diff between each pair of 4728 and 4729 events.
  • I don't really know what global=f or t is doing. They both show the same results.
  • I did reset_after because I want the time diff to reset after a 4728 event is noticed. Then the time diff should  start get counted again again on a 4729 until a 4728 event.

 

But the command is not capturing the below events.

_timeMemberSidAD_GroupEventCode
2022-12-16 08:30:24wendyExecutives4728
2022-12-15 11:53:19saraExecutives4728
2022-12-15 11:41:21saraExecutives4729
2022-12-15 10:28:20wendyExecutives4729
2022-12-14 15:05:58maxExecutives4728
2022-12-14 10:05:13danielExecutives4729
2022-12-14 08:15:46maxExecutives4729

 

Wendy and Max were added back over an hour later. And Daniel was never added back at all. But the command I'm using isn't picking those up. Any tips?

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-24-2022 11:45 AM

I hate to do it, but I think this may call for the transaction command.  It's slow and uses a fair amount of memory, but should fill the requirements.

index=oswinsec sourcetype="XmlWinEventLog" EventCode IN (4728,4729) Group_Name="Executives"
| rename Group_Name as AD_Group
| fields _time, MemberSid, AD_Group, EventCode
| sort + _time
| transaction startswith="EventID=4729" endswith="EventID=4728" maxspan=3600 keeporphans=1
| where (duration > 3600 OR _txn_orphan=1)

 

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...