- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Strange Splunk Search Exclusion Results
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello. I am creating a search to see when the Account_Name called "helpdesk" logs in via EventCode 4624 with Logon_Type=3. My goal is to see what source machines (src_nt_host) normally perform this logon behavior with that account name. After I find the source machines I will exclude them in the search so I can alert off of it.
A search going back the past 3 months below brings back five different source machines (src_nt_host).
Here is the strange part - when I exclude one of those five source machines using src_nt_host!=machineA then rerun the search, it brings back more source machines that never showed up in the original search! Any clue why this is occurring? It would be awesome if I could figure out what is going on!
index=*-windows-logs (EventCode=4624 AND Logon_Type=3) Account_Name=helpdesk | sort - _time | table _time, Account_Name, EventCode, Logon_Type, src_nt_host, dest_nt_host, signature
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Can you please add the option of | sort 0 - _time command like this:
**index=-windows-logs (EventCode=4624 AND Logon_Type=3) Account_Name=helpdesk | sort 0 - _time | table _time, Account_Name, EventCode, Logon_Type, src_nt_host, dest_nt_host, signature*
https://docs.splunk.com/Documentation/Splunk/8.0.1/SearchReference/Sort
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Can you please add the option of | sort 0 - _time command like this:
**index=-windows-logs (EventCode=4624 AND Logon_Type=3) Account_Name=helpdesk | sort 0 - _time | table _time, Account_Name, EventCode, Logon_Type, src_nt_host, dest_nt_host, signature*
https://docs.splunk.com/Documentation/Splunk/8.0.1/SearchReference/Sort
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello TISKAR. I tried it but it made no difference...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you please run this request:
index=-windows-logs (EventCode=4624 AND Logon_Type=3) Account_Name=helpdesk | stats count
And compar result with:
index=-windows-logs (EventCode=4624 AND Logon_Type=3) Account_Name=helpdesk NOT src_nt_host=machineA | stats count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First search (no exclusions) = 450,073
Second search (with the machineA exclusion) = 79,947
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I run these two searches, the Statistics totals are 29 and 28 - only off by one (which makes sense because I excluded only one machine). Therefore that seems to add up correctly. Not sure why my original search only showed 5 systems.
index=*-windows-logs (EventCode=4624 AND Logon_Type=3) Account_Name=administrator | table src_nt_host | dedup src_nt_host
index=*-windows-logs (EventCode=4624 AND Logon_Type=3) Account_Name=administrator src_nt_host!=machineA | table src_nt_host | dedup src_nt_host
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
