We currently have an report every morning that shows which users have been removed from a particular AD group from the previous day.
The report sometimes shows too many events. I want to modify it such that if a user has been removed from an AD group and added back in within one hour, then it would be ignored.
Here are examples below. EventCode 4729 is a user getting removed and 4728 is a user getting added.
_time
MemberSid
AD_Group
EventCode
2022-12-21 14:48:22
bob
Executives
4728
2022-12-21 12:48:22
bob
Executives
4729
This would show up in the morning report that bob was removed from the Executives group at 12:48 since its been over an hour since they were added back in.
_time
MemberSid
AD_Group
EventCode
2022-12-21 14:38:22
janice
Executives
4728
2022-12-21 13:00:22
bob
Executives
4728
2022-12-21 12:55:22
dylan
Executives
4729
2022-12-21 12:50:22
janice
Executives
4729
2022-12-21 12:48:22
bob
Executives
4729
Janice and Dylan would show up in the morning report in this case since its been over an hour that Janice was added back in and Dylan was never added back at all.
I'm not good with SPL and am having trouble with what command(s) to use so that I can achieve the above. Below is the search I currently have. The comment indicates what I'm trying to do.
index=oswinsec sourcetype="XmlWinEventLog" EventCode IN (4728,4729) Group_Name="Executives" | rename Group_Name as AD_Group | table _time, MemberSid, AD_Group, EventCode | sort by MemberSid ``` WHERE for a user, if there is eventcode 4729 and no eventcode 4728 following or eventcode 4728 over a hour later, then keep those events/results. In other words, ignore users with eventcode 4729 and eventcode 4728 within a hour apart.```
... View more