Hi
Its my first week in the job and I am finding creating alerts is not the issue but how to create useful alerts is more of what I am looking for.
We turned on in the User Case Library - Access - Short-lived Account Detected in user cases and its causing way to many alerts.
I wanted to narrow the field down to just admin accounts instead of the whole company.
Anybody got ideas on how to do this? Or point me the an article I where I can edit these types of searches?
In the correlation search I have got:
| tstats `summariesonly` count from datamodel=Change.All_Changes where nodename="All_Changes.Account_Management" (All_Changes.action="created" OR All_Changes.action="deleted") by _time,All_Changes.dest,All_Changes.user span=1s | `drop_dm_object_name("All_Changes")` | streamstats range(_time) as delta,sum(count) as count by user,dest window=2 global=f | where count>1 AND delta<`useraccount_minimal_lifetime` | `uptime2string(delta,timestr)` | table user, dest, delta, timestr
`wineventlog_security` EventCode=4698 OR EventCode=4699 | xmlkv Message | transaction Task_Name startswith=(EventCode=4698) endswith=(EventCode=4699) | eval short_lived=case((duration<30),"TRUE") | search short_lived = TRUE | table _time, ComputerName, Account_Name, Command, Task_Name, short_lived | `short_lived_scheduled_task_filter`
Hi even I am looking for including ADM account's but unable to write query for that. So how the query would look like to only get alerts from ADM* accounts?
The query would look something like this
index=wineventlog sAMAccountName="ADM*"
Of course, this would be useful only if the admin accounts in your organization start with "ADM".
If your company has a naming convention for admin accounts ("adm*", for instance) then you can a filter to include only those.
Another option is to filter on the src_user_type field, if it's populated.