Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Using stolen or forged user tickets (TGT)

Dustem
Explorer
‎09-06-2023 04:47 AM

hi guys, I want to detect a service ticket request (Windows event code 4769) and one of the following corresponding events does not appear before the service ticket request:
1. User Ticket (TGT) request, Windows event code 4768.
2. Ticket renewal request, Windows event code 4770.

0 Karma
Reply

Dustem
Explorer
‎09-07-2023 08:09 PM

I want to search for a user with 4769 events over a continuous period, but the user has no 4768 or 4770 events during that time, instead of 4769 and no 4768 or 4770 users.

0 Karma
Reply

Dustem
Explorer
‎09-07-2023 08:43 PM

Not during this period, but the user did not have 4768 or 4770 events prior to this period.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-07-2023 11:34 PM

Hi @Dustem,

let me understand: 4768 or 4770 should be before the 4769 and you want an alert if tey are missing or tey aren't before, is is correct?

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-06-2023 04:52 AM

Hi @Dustem,

let me understand: you want to discover if, in one time period, there was a Windows EventCode=4769 but not a Windows EventCode=4770, is it correct?

I suppose that you have a common ID to correlate the events.

If this is your requirement, you could try something like this:

index=wineventlog EventCode IN (4769,4770)
| stats dc(EventCode) AS EventCode_count BY TGT_Id
| where EventCode_count=1

Cioao.

Giuseppe

 

0 Karma
Reply

Dustem
Explorer
‎09-06-2023 06:51 AM

Hi gcusello,

My description may not be accurate.

I want to detect eventcode=4769 and  then detect whether the user of this event(eventcode=4769) has eventcode=4768 or eventcode=4770 before it.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-06-2023 07:14 AM

Hi @Dustem,

the approach is the same:

index=wineventlog EventCode IN (4768,4769,4770)
| stats 
   dc(EventCode) AS EventCode_count 
   values(EventCode) AS EventCode 
   BY user
| where EventCode_count=1 AND EventCode=4769

in this way you have the users where there's the EventCode 4769 but not one of the others.

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...