Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Short-lived Account Detected - How to narrow down searches to certain accounts?

Jay1234
Explorer
‎05-12-2022 08:09 AM

Hi
Its my first week in the job and I am finding creating alerts is not the issue but how to create useful alerts is more of what I am looking for.

We turned on in the User Case Library - Access - Short-lived Account Detected  in user cases and its causing way to many alerts.
I wanted to narrow the field down to just admin accounts instead of the whole company.

Anybody got ideas on how to do this? Or point me the an article I where I can edit these types of searches?

In the correlation search I have got:
| tstats `summariesonly` count from datamodel=Change.All_Changes where nodename="All_Changes.Account_Management" (All_Changes.action="created" OR All_Changes.action="deleted") by _time,All_Changes.dest,All_Changes.user span=1s | `drop_dm_object_name("All_Changes")` | streamstats range(_time) as delta,sum(count) as count by user,dest window=2 global=f | where count>1 AND delta<`useraccount_minimal_lifetime` | `uptime2string(delta,timestr)` | table user, dest, delta, timestr


`wineventlog_security` EventCode=4698 OR EventCode=4699 | xmlkv Message | transaction Task_Name startswith=(EventCode=4698) endswith=(EventCode=4699) | eval short_lived=case((duration<30),"TRUE") | search short_lived = TRUE | table _time, ComputerName, Account_Name, Command, Task_Name, short_lived | `short_lived_scheduled_task_filter`

Labels (1)
Labels
0 Karma
Reply

dparmar
New Member
‎10-04-2022 04:14 AM

Hi even I am looking for including ADM account's but unable to write query for that. So how the query would look like to only get alerts from ADM* accounts?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-04-2022 05:26 AM

The query would look something like this

index=wineventlog sAMAccountName="ADM*"

Of course, this would be useful only if the admin accounts in your organization start with "ADM".

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-12-2022 10:04 AM

If your company has a naming convention for admin accounts ("adm*", for instance) then you can a filter to include only those.

Another option is to filter on the src_user_type field, if it's populated.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...