I have implemented an correlation search, where I want to find "Brute Force Behavior" and afterwards an "User was added to Domain Admins" Event with the following search:
(EventCode=4625 "bad password") OR (EventCode=4624 successfully LogonType=10) OR (EventCode=4728 "A member was added to a security-enabled*") | eval AccountName=mvfilter(AccountName!="-") | eval AccountName = lower(AccountName) | transaction AccountName maxspan=2m endswith=(EventCode=4728 "A member was added to a security-enabled*") | where eventcount>=7
I have saved this search as an alert
When I test and do false logins followed by a real login this alert triggers (this alert shouldn't trigger at this moment because no member was added to a security-enabeld group") and I get an email notification. When I look up the alarm afterwards splunk does not find any result, as it should.
So why do I get an alarm when the search doesn't find anything? and does anyone know how to fix this issue?