I want to query the same user only 4769 events in 24h without the other three eventcode (4768, 4770, 4624) events, the SPL doesn't fulfill this requirement.

As I suggested, try the original query with a valid expression.

index="xx"

| transaction user maxspan=24h maxpause=10h startswith=("Eventcode=4768" OR "Eventcode=4770" OR "Eventcode=4624") endswith="Eventcode=4769" keepevicted=true

| search Eventcode=4769 NOT (Eventcode=4768 OR Eventcode=4770 OR Eventcode=4624)

I'm used the SPL you provided but didn't solve it. So I adjusted the SPL, filtered out the same user in a period events, and then filter out Eventcode only 4769 case.

index="xx"

| transaction user maxspan=24h maxpause=10h connected=false

| search NOT Eventcode IN (4768,4770,4624) AND Eventcode=4769

I don't think "NOT Eventcode IN (4768,4770,4624) AND Eventcode=4769" is what it takes.  The idea is that those three codes do not precede 4769.  So, you exclude any completed transactions instead.

index="xx"

| transaction user maxspan=24h maxpause=10h startswith="Eventcode IN (4768,4770,4624)"
  endswith="Eventcode=4769" keepevicted=true keeporphaned=true
| where closed_txn==0

In this case, how do i  continue filter out the events that precede the appearance of 4769 without the other three Eventcodes?

If any of the codes, including your initial code, give output that doesn't suit the needs, please post sample data (anonymize as needed) that lead to such output, actual output (anonymize as needed) from such code, and explain what the desired output should look like. (And how the desired output is different from actual output if that is not painfully obvious.)

Your initial code performs transaction on user.  After excluding closed transactions, what remain in the stream are events with eventcode 4769 that do not have those three eventcodes for the same user, as well as events with eventcodes that are not those three.  Isn't this what you ask for?

hi yuanliu,

Do you have any updates?

We need filter out events where a user has only Eventcode=4776 over a while, and exclude events where 4770 or 4768, or 4624 precede 4776, because we think that this situation is reasonable and that only the presence of 4776 alone is illegal.

This is even more confusing.  Are you saying that you need to find users that only have one event code 4766 during the period?  All you need to do is

index="xx"

| stats values(EventCode) as EventCode
| where mvcount(EventCode) == 1 AND EventCode == 4766

We refer to the golden ticket attack, according to the Kerberos mechanism, a prerequisite for a service ticket request is a user ticket request (or renewal of an existing ticket). When this is not the case and we do not see a corresponding prior login event, the user ticket is suspected to be forged or stolen from another machine.

So the logic of the detection is that one of the following corresponding events does not occur before the service ticket request (Eventcode=4769): 1. user ticket (TGT) request (Eventcode=4768). 2. ticket renewal request (Eventcode=4770). 3. Login event (Eventcode=4624).

The query needs to be in an intranet environment, so I can't provide it.

I can describe the query result, the results I get from the query based on SPL are only events about 4769, but I again make a new query with the user field as a keyword in the query results, and I will find that there are three other Eventcode records for this user within 24 hours.

So I require that I want the query result to be a user who has only events about 4769 and not three other Eventcodes within 24 hours.