Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About rcastello
rcastello
Explorer
Member since:
11-30-2018
04-01-2022
Community Statistics
| Posts | 12 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 1 |
| Member Since | 11-30-2018 |
Activity Feed
- Got Karma for Tracking how long someone has been logged into a workstation in a given day. 06-05-2020 12:50 AM
- Posted Re: Building an Account Lockout Alert on Alerting. 04-27-2020 12:44 PM
- Posted Re: Building an Account Lockout Alert on Alerting. 04-23-2020 10:32 AM
- Posted Re: Building an Account Lockout Alert on Alerting. 04-22-2020 07:35 AM
- Posted Re: Building an Account Lockout Alert on Alerting. 04-17-2020 12:23 PM
- Posted Building an Account Lockout Alert on Alerting. 04-17-2020 11:37 AM
- Tagged Building an Account Lockout Alert on Alerting. 04-17-2020 11:37 AM
- Tagged Building an Account Lockout Alert on Alerting. 04-17-2020 11:37 AM
- Tagged Building an Account Lockout Alert on Alerting. 04-17-2020 11:37 AM
- Tagged Building an Account Lockout Alert on Alerting. 04-17-2020 11:37 AM
- Posted How to identify an admin who made a change in GPO on Security. 02-10-2020 02:01 PM
- Tagged How to identify an admin who made a change in GPO on Security. 02-10-2020 02:01 PM
- Tagged How to identify an admin who made a change in GPO on Security. 02-10-2020 02:01 PM
- Tagged How to identify an admin who made a change in GPO on Security. 02-10-2020 02:01 PM
- Posted Creating a detailed table to investigate user account logging into several servers on Splunk Search. 12-06-2019 12:55 PM
- Tagged Creating a detailed table to investigate user account logging into several servers on Splunk Search. 12-06-2019 12:55 PM
- Tagged Creating a detailed table to investigate user account logging into several servers on Splunk Search. 12-06-2019 12:55 PM
- Tagged Creating a detailed table to investigate user account logging into several servers on Splunk Search. 12-06-2019 12:55 PM
- Posted How to review how many servers a user logged into within a specific time period on Splunk Search. 12-05-2019 02:34 PM
- Tagged How to review how many servers a user logged into within a specific time period on Splunk Search. 12-05-2019 02:34 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 |
04-27-2020
12:44 PM
That did it! Thank you so much, Rich. This will help me greatly. The corrected SPL is below so that others in the community can utilize it if needed now that the time is populating as intended.
source="WinEventLog:Security" (EventCode=4740 OR EventCode=644 OR EventCode=4625 OR EventCode=4771) user=*
| eval src_nt_host=coalesce(src_nt_host,host)
| eval lockout=if(EventCode==644 OR EventCode==4740,"Yes","No")
| eval time = if(lockout="Yes", _time, null())
| stats latest(_time) as time, latest(src_nt_host) as host, latest(lockout) as lockedout values(dest_nt_domain) as dest_nt_domain count(eval(EventCode=4625 OR EventCode=4771)) as count values(Source_Network_Address) as Source_Network_Address by user
| eval time=strftime(time,"%c")
| rename user to "User Name", Source_Network_Address to "IP Address", count to "Number of Failures"
| table dest_nt_domain "User Name" host lockedout time "IP Address" "Number of Failures"
... View more
04-23-2020
10:32 AM
Thanks Rich. I went through it and corrected sourcetype to source and found an extra "=" in one of the EventCode. The table now appears using the SPL below:
source="WinEventLog:Security" (EventCode=4740 OR EventCode=644 OR EventCode=4625 OR EventCode=4771) user=*
| eval src_nt_host=coalesce(src_nt_host,host)
| eval lockout=if(EventCode==644 OR EventCode==4740,"Yes","No")
| eval time = if(lockout="Yes", _time, null())
| stats latest(time) as time, latest(src_nt_host) as host, latest(lockout) as lockedout values(dest_nt_domain) as dest_nt_domain count(eval(EventCode=4625 OR EventCode=4771)) as count values(Source_Network_Address) as Source_Network_Address by user
| eval time=strftime(_time,"%c")
| rename user to "User Name", Source_Network_Address to "IP Address", count to "Number of Failures"
| table dest_nt_domain "User Name" host lockedout time "IP Address" "Number of Failures"
Last thing - I get no eval time results. I attempted to correct it using trial and error with _time vs time, but nothing surfaced. Thanks again for your continued assistance. I'm learning a lot from this.
... View more
04-22-2020
07:35 AM
Thanks! I also found a spacing error between "locked" and "out" on line 5. Corrected below and added your edits.
sourcetype="WinEventLog:Security" (EventCode="4740" OR EventCode==644 OR EventCode=4625 OR EventCode=4771) user="*"
| eval src_nt_host=coalesce(src_nt_host,host)
| eval lockout=if(EventCode==644 OR EventCode==4740,"Yes","No")
| eval time = if(lockout="Yes", _time, null())
| stats latest(time) as time, latest(src_nt_host) as host, latest(lockout) as lockedout values(dest_nt_domain) as dest_nt_domain count(eval(EventCode=4625 OR EventCode=4771)) as count values(Source_Network_Address) as Source_Network_Address by user
| eval time=strftime(time,"%c")
| rename user to "User Name", Source_Network_Address to "IP Address", count to "Number of Failures"
| table dest_nt_domain "User Name" host lockedout time "IP Address" "Number of Failures"
While this SPL is not throwing up an error now, I'm not receiving any results and I've seen examples of account lockouts in the last 24 hours. I'm not sure what it might be missing. Any ideas? Thanks again.
... View more
04-17-2020
12:23 PM
Hello. Based on your recommendations, I edited the SPL to the following:
sourcetype="WinEventLog:Security" (EventCode="4740" OR EventCode==644 OR EventCode=4625 OR EventCode=4771) user="admin*"
| eval src_nt_host=coalesce(src_nt_host,host)
| eval lockout=if(EventCode==644 OR EventCode==4740,"Yes","No")
| eval time = if(lockout="Yes"),_time, null())
| stats latest(time) as time, latest(src_nt_host) as host, latest(lockout) as locked out values(dest_nt_domain) as dest_nt_domain count(eval(EventCode=4625 OR EventCode=4771)) as count values(Source_Network_Address) as Source_Network_Address by user
| eval time=strftime(time,"%c")
| rename user to "User Name", Source_Network_Address to "IP Address", count to "Number of Failures"
| table dest_nt_domain "User Name" host lockedout time "IP Address" "Number of Failures"
However, it throws up this error now: Error in 'eval' command: The arguments to the 'if' function are invalid.
I tried working with the spacing in the eval if statement, but it doesn't seem to be picking up the opening parentheses.
... View more
04-17-2020
11:37 AM
Hello,
I was reviewing a previous Splunk Answer (https://answers.splunk.com/answers/447037/how-to-edit-my-search-to-trigger-when-an-account-i.html) that has an great answer, but it seems the SPL has an error in it that was never corrected and the Splunk user who answered it is no longer active. I've tried to play with it to solve the error, but I'm not sure what in the stats command is causing the error despite the message presented. (Below)
The Error: Error in 'stats' command: The eval expression for dynamic field 'eval(if(lockout="Yes"), _time null())' is invalid. Error='The operator at ', _time null()' is invalid.'.
sourcetype="WinEventLog:Security" (EventCode="4740" OR EventCode==644 OR EventCode=4625 OR EventCode=4771) user="admin*"
| eval src_nt_host=coalesce(src_nt_host,host)
| eval lockout=if(EventCode==644 OR EventCode==4740,"Yes","No")
| stats latest(eval(if(lockout="Yes"), _time, null())) as time, latest(src_nt_host) as host, latest(lockout) as locked out values(dest_nt_domain) as dest_nt_domain count(eval(EventCode=4625 OR EventCode=4771)) as count values(Source_Network_Address) as Source_Network_Address by user
| eval time=strftime(time,"%c")
| rename user to "User Name", Source_Network_Address to "IP Address", count to "Number of Failures"
| table dest_nt_domain "User Name" host lockedout time "IP Address" "Number of Failures"
Any assistance would be wonderful. Thank you.
... View more
Labels
- Labels:
-
alert condition
02-10-2020
02:01 PM
Hello,
Someone made changes to GPO that negatively impacted devices in our environment. I searched event code 4733, but I haven't been able to link an admin account to the activity. I found this query below on another thread (https://answers.splunk.com/answers/172845/how-to-correlate-the-admin-user-with-a-gpo-change.html) but there seems to be an issue with the ldap portion. Would anyone know what the issue is and/or know something better I can use? Thank you.
index=* EventCode=5137 OR EventCode=5136 OR EventCode=5141 Class=groupPolicyContainer
|rex field=DN "(?i)CN\=(?<gpo_guid>.*?)\,"
|eval action=case(EventCode=5137, "CREATED", EventCode=5136, "MODIFIED", EventCode=5141, "DELETED")
|ldapfilter domain=*DOMAIN* search="(&(objectclass=groupPolicyContainer)(|(cn=$gpo_guid$)(displayName=*{*}*)))" attrs="displayName"
|convert ctime(_time) as Time
|table _time Security_ID EventCodeDescription action gpo_guid displayName
... View more
- Tags:
- admin
- gpo
- splunk-cloud
12-06-2019
12:55 PM
Hello,
I'm attempting to build a detailed table complete with timestamp, account name, eventcode, and host. We found that there is an account logging into various servers over a period of 48 hours, but I'm having difficulty creating a proper query. The only column that is filled out is host. Here is what I attempted:
index="index" Account_Name="account" EventCode="event code" | stats count BY host | eval timestamp=strftime(_time, "%B %d, %D:%M:%S %p") | table timestamp Account_Name host eventcode
Thank you for any help the community can provide.
... View more
12-05-2019
02:34 PM
Hello,
How can I compile a stats list of what servers a user account has logged into within a specific time period? I was surprised I couldn't find a similar answer that solved this.
Thank you.
... View more
05-23-2019
10:02 AM
Hello,
I'm looking to create an alert that looks for and triggers when certain VPN solutions, such as GoToMyPC, VNC, etc. are utilized within our environment.
Does anyone have experience with this? I wasn't able to find any similar existing posts. Thank you.
... View more
12-03-2018
09:25 AM
1 Karma
Hello,
I'm attempting to figure out how long an employee has been logged into their laptop in a given day. I started with the following, with the * representing the user:
index=* source="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name="*"
Then, I added a table pipe:
| table _time Account* Logon*
I get a decent chart that displays their logon activity throughout the day, but I was wondering if there was more efficient way to perform this, say showing logon and logoff activity.
Thank you.
... View more
12-03-2018
07:29 AM
Hello woodcock,
Thanks for your assistance. When I utilize your recommendation, Splunk throws this error:
Error in 'eval' command: The expression is malformed. An unexpected character is reached at ', "unknown")'.
Is there some data I should be using in place of "unknown" instead? Thanks for your help, @woodcock .
... View more
11-30-2018
02:05 PM
Hello,
I'm currently using this query to create a table:
index=* sourcetype=* dport=139 OR sport=139
| eval timestamp=strftime(_time, "%B %d, %I:%M:%S %p")
| table timestamp sourcetype dport sport
However, I'd like to include src_ip and dest_ip, so I tried this but it doesn't pull the same results:
index=* sourcetype=* src_ip=* dest_ip=* dport=139 OR sport=139
| eval timestamp=strftime(_time, "%B %d, %I:%M:%S %p")
| table timestamp sourcetype src_ip dest_ip dport sport
What am I doing incorrectly and how can I reach my desired results? Thank you for any help provided.
... View more
- Tags:
- splunk-enterprise
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
04-01-2022
03:44 PM
|
