I am working to create a use case to detect account created and deleted within short period of time
Could you please give a simple example how connected true/false will affect results of transaction command.
I already referred previous answer but didnt understand the explanation.
Addionally also explain what is the affect of connected=true/false in the below query and also what is the best practice.
sourcetype=wineventlog (EventCode=4726 OR EventCode=4720) | transaction user maxspan=240m startswith="EventCode=4720" endswith="EventCode=4726" connected=false| table Time, dest, EventCode, user, src_user, Account_Domain
Hi @mohammadsharukh,
if I correctly remember, there's a sample of a shourt living account in the Splunk Security Essential App, that I hint.
Anyway, don't use the transaction command because it's very slow, please try this search:
sourcetype=wineventlog (EventCode=4726 OR EventCode=4720)
| stats
earliest(eval(EventCode=4720)) AS earliest
latest(eval(EventCode=4726)) AS latest
values(dest) AS dest
values(src_user) AS src_user
values(Account_Domain) AS Account_Domain
BY user
| eval
diff=latest-earliest,
creation_time=strftime(earliest,"%Y-%m-%d %H:%M:%S"),
deletion_time=strftime(latest,"%Y-%m-%d %H:%M:%S")
| where diff<240*60
| table
creation_time
deletion_time
dest
EventCode
user
src_user
Account_Domain
Ciao.
Giuseppe