Splunk Search

Use Case for Privileged Users, SPL Question

avoelk
Communicator

I'm trying to create a search in which the following should be done: 

- look for a user creation process (ID 4720)

- and then look (for the same user) if there is a follow up group adding event (4728) for privileged groups like (512,516 etc.) 

 

my SPL was so far like that: 

 

index=lalala source=lalala EventID=4720 OR 4728 PrimaryGroupId IN (512,516,517,518,519)

 

BUT that way I only look for either a user creation OR a user being added as a privileged user. but I want to like both. I understand that I need to somehow connect those two searches but I don't know how exactly. 

 

 

Labels (2)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

I think that this is place for sub query like

index=lalala source=lalala EventID=4728 AND PrimaryGroupId IN (512,516,517,518,519) AND
[ search index=lalala source=lalala EventID=4720 
  | fields UserName | dedup UserName | format ]

In this way it first look those UserNames which has created and then that "outer" base search this those (UserName = "xxx" OR UserName = "yy"....)

If you are looking for long period then maybe there is better options too.

r. Ismo 

View solution in original post

isoutamo
SplunkTrust
SplunkTrust

Hi

I think that this is place for sub query like

index=lalala source=lalala EventID=4728 AND PrimaryGroupId IN (512,516,517,518,519) AND
[ search index=lalala source=lalala EventID=4720 
  | fields UserName | dedup UserName | format ]

In this way it first look those UserNames which has created and then that "outer" base search this those (UserName = "xxx" OR UserName = "yy"....)

If you are looking for long period then maybe there is better options too.

r. Ismo 

avoelk
Communicator

thanks a lot, that was the solution ! 

0 Karma

emlin_charly
Explorer

Hello hello!

I think what you are looking for here is the `transaction` command, but it can have some extra over-head.  I'll leave some examples here to see if they work for you. Since your requirement is simple, I suggest using the `stats` command instead of `transaction`. If you wanted to look at a specific EventID first and then another specific EventID after, `transaction` might be easier to implement.

Version using `transaction`:

 

index=lalala source=lalala (EventID=4720 OR (EventID=4728 AND PrimaryGroupId IN (512,516,517,518,519)))
| transaction UserName maxspan=5m
| search EventID=4720 AND EventID=4728

 

Version using `stats`:

index=lalala source=lalala (EventID=4720 OR (EventID=4728 AND PrimaryGroupId IN (512,516,517,518,519)))
| stats values(EventID) AS EventIDs by UserName
| search EventIDs=4720 EventIDs=4728


Edit: Fixing the code blocks.

0 Karma
Get Updates on the Splunk Community!

Unlock New Opportunities with Splunk Education: Explore Our Latest Courses!

At Splunk Education, we’re dedicated to providing top-tier learning experiences that cater to every skill ...

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...