Splunk Search

Local Admin: How to check if a user has not been added and NOT removed within a time period?

beastpc
Loves-to-Learn

Hi what would be the best way to check if after a user has been added to a group, they have not been removed from the same group within say 24 hours. 

I currently have a search that provides a table that shows group additions and group removals using winevent index. What is the best way to find events where there has been an addition but no removal for the same group and user added within 24 hours.

I started to look at | transaction but I don't feel this is correct as I am interested if there has not been a removal after a time period.

Failing this if anyone has an alternate solution to alert when a user has been added and not removed from a group within a time period that would be much appreciated. Thanks

Labels (2)
0 Karma

matt8679
Path Finder

So its hard to help without seeing the data but you could try something like this.

main search that pulls the two event ID in 24 hrs

|stats values(EventID) as Group_ID by user EventID
|eval removal=if(Group_ID=4756 AND Group_ID=4729, "Yes", "No")
|search removal=Yes

 

Something like this should work.

 

Matt

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...