Splunk Search

Search for Upload Activity to Unique Domains

AC1
Engager

Hi all,

I am trying to put together a search and stats table for users in our environment who have uploaded data to a domain where there has been not been any other upload activity to that domain in the last 7 days.

Operation="FileUploadedToCloud" - I'm working with fields such as user and targetdomain.

Any help is appreciated! Thanks!

Labels (2)
0 Karma
1 Solution

dtburrows3
Builder

A search like this I think will do it. (Set your search window to be last 7 days)

 

 

 

index=<origin_index> Operation="FileUploadedToCloud" earliest=-7d latest=now
    | stats
        count as upload_count,
        earliest(_time) as earliest_upload_epoch,
        latest(_time) as latest_upload_epoch
            by user, targetdomain
    | sort 0 -upload_count
    | stats
        dc(user) as dc_user,
        list(user) as users,
        min(earliest_upload_epoch) as earliest_upload_epoch,
        max(latest_upload_epoch) as latest_upload_epoch,
        list(upload_count) as upload_count,
        sum(upload_count) as total_upload_count
            by targetdomain
    ``` filter down results to only include domains where 1 user has uploaded in the specified search window ```
    | where 'dc_user'==1
    | convert
        ctime(earliest_upload_epoch) as earliest_upload_timestamp,
        ctime(latest_upload_epoch) as latest_upload_timestamp
    | fields - *_upload_epoch

 

 

 

 
This should also return results if a single user has uploaded to a domain multiple times but is still the only user to upload to it in the last 7 days.

Resulting dataset would look something like this.

dtburrows3_0-1703872403992.png

If scope needs to be narrowed to only 1 upload event by a user then you can additional filter to only return the events where 'total_upload_count'==1

View solution in original post

dtburrows3
Builder

A search like this I think will do it. (Set your search window to be last 7 days)

 

 

 

index=<origin_index> Operation="FileUploadedToCloud" earliest=-7d latest=now
    | stats
        count as upload_count,
        earliest(_time) as earliest_upload_epoch,
        latest(_time) as latest_upload_epoch
            by user, targetdomain
    | sort 0 -upload_count
    | stats
        dc(user) as dc_user,
        list(user) as users,
        min(earliest_upload_epoch) as earliest_upload_epoch,
        max(latest_upload_epoch) as latest_upload_epoch,
        list(upload_count) as upload_count,
        sum(upload_count) as total_upload_count
            by targetdomain
    ``` filter down results to only include domains where 1 user has uploaded in the specified search window ```
    | where 'dc_user'==1
    | convert
        ctime(earliest_upload_epoch) as earliest_upload_timestamp,
        ctime(latest_upload_epoch) as latest_upload_timestamp
    | fields - *_upload_epoch

 

 

 

 
This should also return results if a single user has uploaded to a domain multiple times but is still the only user to upload to it in the last 7 days.

Resulting dataset would look something like this.

dtburrows3_0-1703872403992.png

If scope needs to be narrowed to only 1 upload event by a user then you can additional filter to only return the events where 'total_upload_count'==1

AC1
Engager

This is perfect. Thank you!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If your problem is resolved, then please click an "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.

richgalloway
SplunkTrust
SplunkTrust

Search over the last 7 days and count entries by target domain.  Filter out anything with a count greater than 1.

index=foo Operation=FileUploadedToCloud user=* targetdomain=* earliest=-7d
| stats count, values(*) as * by targetdomain
| where count=1
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...