Splunk Search

Windows Event Query

New Member

Hi, I am having some difficulty creating an alert with the following criteria:

  • EventCode 4769
  • AND multiple requests from a single Account
  • OR multiple requests from a single Client_Address
  • AND ticket requests for 3 or more unique Service_Name’s
  • AND frequency of 3 or more requests per minute
  • AND Service_Name IS NOT a computer account (Regex: \$$)
  • AND TicketEncryptionType IS NOT 0x12

If anyone could guide me that would be very much appreciated. These logs come in as WinEventLog.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Here's a first cut at it. You will need to update your index name, verify each field name is properly spelled and properly capitalized, and test each line to make sure it filters appropriately. Just put |head 10 after the first line for testing, until you've verified all the individual items.

For instance, the regex line will need to be checked to make sure it kills exactly the right records and no others. If it works wrong and you can't figure it out, then get on the Splunk Slack channel, in the #regex subchannel, and ask for help there to get regexes that will match properly.

index=foo sourcetype=WinEventLog EventCode=4769  
| fields index Account Client_Address Service_Name Ticket_Encryption_Type
| regex Service_Name!="\$$" AND Ticket_Encryption_Type!="0x12"

| rename COMMENT as "Sort the records into time order, and then check how many different services there are in any one"
| rename COMMENT as "minute time frame, for each Client_Address and for each Account" 
| sort 0 _time
| streamstats time_window=1m count as svcCountByCA dc(Service_Name) as dcCountByCA by Client_Address
| streamstats time_window=1m count as svcCountByAc dc(Service_Name) as dcCountByAc by Account


| rename COMMENT as "Mark any records that exceed the thresholds, in this case 3 distinct Service Names, which means at least 3 records as well" 
| eval keepme=case(dcCountByCA>=3,"keepme", 
                   dcCountByAc>=3,"keepme")


| rename COMMENT as "For each Account and each Client_Address that hit the threashold, keep all the records for analysis" 
| rename COMMENT as "Otherwise throw them all away" 
| eventstats max(keepme) as keepme by Client_Address
| eventstats max(keepme) as keepme by Account
| where isnotnull(keepme)  

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Here's a first cut at it. You will need to update your index name, verify each field name is properly spelled and properly capitalized, and test each line to make sure it filters appropriately. Just put |head 10 after the first line for testing, until you've verified all the individual items.

For instance, the regex line will need to be checked to make sure it kills exactly the right records and no others. If it works wrong and you can't figure it out, then get on the Splunk Slack channel, in the #regex subchannel, and ask for help there to get regexes that will match properly.

index=foo sourcetype=WinEventLog EventCode=4769  
| fields index Account Client_Address Service_Name Ticket_Encryption_Type
| regex Service_Name!="\$$" AND Ticket_Encryption_Type!="0x12"

| rename COMMENT as "Sort the records into time order, and then check how many different services there are in any one"
| rename COMMENT as "minute time frame, for each Client_Address and for each Account" 
| sort 0 _time
| streamstats time_window=1m count as svcCountByCA dc(Service_Name) as dcCountByCA by Client_Address
| streamstats time_window=1m count as svcCountByAc dc(Service_Name) as dcCountByAc by Account


| rename COMMENT as "Mark any records that exceed the thresholds, in this case 3 distinct Service Names, which means at least 3 records as well" 
| eval keepme=case(dcCountByCA>=3,"keepme", 
                   dcCountByAc>=3,"keepme")


| rename COMMENT as "For each Account and each Client_Address that hit the threashold, keep all the records for analysis" 
| rename COMMENT as "Otherwise throw them all away" 
| eventstats max(keepme) as keepme by Client_Address
| eventstats max(keepme) as keepme by Account
| where isnotnull(keepme)  

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

First, you need to clarify which ands and ors go together.

You might want to start with

Only take event 4769

Ignore any record which has any of these characteristics -

( service name is a computer account) OR
(Ticket encryption type is 0x12)

After that, you need to figure out the priority of the other statements. Is 3 requests in any one minute enough to trigger the report, or does it have to be sustained across some duration?

By the way, you probably are going to want to do separate reports for Account and for Client_Address, or the report is likely to end up quite a mess.

0 Karma

New Member

Thank you for your response. I believe that it is over any minute. The timing aspect of this query is what I am unsure of and need further guidance on.

0 Karma