Splunk Search

Return a set of events that occur after a specific event

jchampagne
Path Finder

I want to create a search that will return all of the logon failure events (based on a set of event IDs, lets say EventID 600,601,602) that occur after the last "Account Unlocked" event for a specific user.

For example, an event is logged anytime a user account is unlocked. Various events are also logged when a user fails to authenticate properly. After a certain number of failed logon attempts, an account lockout occurs.

I want to be able to specify a username and have the search go look for the last account unlock event (lets say EventID 500), then return any logon failure event (EventID 600, 601,601) that occurred for that user after the account unlock event.

himanshusinha1
Explorer

Hi All,
Is there any possibility to create a unique index number while indexing because i want to search the result on behalf of last event id i read.then i will read the event greater then from that last event id.
The problem i faced is device is generating wrong date time and that time is future date time in that case our earliest and latest logic is failing. because i was storing the _time value as a last trigger date and that was future date.so i want to create a unique auto incremented row number id while indexing.
Please help!!

0 Karma

jchampagne
Path Finder

Kristian,

Thanks for your reply. I've been playing around with the transaction command this morning and am not finding success. Mainly because the event IDs I'm looking for are not in a sequence, so the startswith and endswith parameters don't seem to work for me.

For example, here is the query I am running:

source="WinEventLog:Security" <Replace with User Name> ("EventCode=4776" AND Keywords="Audit Failure") OR ("EventCode=680" AND "Failure Audit") OR ("EventCode=675" OR ("EventCode=672" AND Type="Failure Audit")) OR (EventCode=4771 AND "Audit Failure") OR (EventCode=671 OR EventCode=4767 OR EventCode=4740 OR EventCode=644) | eval "Caller"=coalesce(Source_Workstation,Client_Address,Caller_User_Name) | eval "Account"=coalesce(User_Name,Logon_account,Logon_Account,User_ID,Security_ID,Target_Account_ID) | eval Description=coalesce(Error_Code_Description, KerberosFailureCode_Description,EventCodeDescription) | table _time, "Account", "Caller", EventCode, Description

This query returns a table of results for the user I specify within the timeframe specified. However, I'd rather see a table that begins with the most recent account unlock event (Actual Event Codes are: 4767 and 671) and ends with the most recent account lock event (4740 or 644). Within the timeframe of those events, I want to see all of the logon failure events for the user (4776, 680,675,672,4771).

Is that even possible in a search?

kristian_kolb
Ultra Champion

This should give you a listing of the events for user XXXX in chronological order.

sourcetype=your_sourcetype EventID=500 OR EventID=600 OR EventID=601 OR EventID=602 userID=XXXXX| reverse 

More generic (i.e. for all users) you can use the transaction command to group events by user;

sourcetype=your_sourcetype EventID=500 OR EventID=600 OR EventID=601 OR EventID=602|  
transaction userID startswith="EventID=500" 

Hope this helps,

Kristian

Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...