Splunk Search

How to Trigger Password Reset alarm by Admin by Distinct count of targets?

mdicenzo
Explorer

I want to essentially trigger an alarm if a user changes the password of multiple distinct user accounts within a given period of time. 

I was able to start with the search below, which provides me a count of distinct user account change grouped by the source user. 

When I try to apply a threshold logic to it, it doesn't appear to work.

source="WinEventLog:Security" (EventCode=628 OR EventCode=627 OR EventCode=4723 OR EventCode=4724)
| stats count(Target_Account_Name) by Subject_Account_Name

Labels (1)
Tags (1)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

dc outputs a number.  Just use it in a logical expression, like

source="WinEventLog:Security" EventCode IN (628, 627, 4723, 4724)
| stats values(Target_Account_Name) dc(Target_Account_Name) by Subject_Account_Name
| where 'dc(Target_Account_Name)' > 5

Or more customarily,

 

source="WinEventLog:Security" EventCode IN (628, 627, 4723, 4724)
| stats values(Target_Account_Name) as Target_Account_Name dc(Target_Account_Name) as Target_Account_Count by Subject_Account_Name
| where Target_Account_Count > 5​

Alternatively, you do not need to use dc.  You can perform mvcount on aggregate Target_Account_Name to give more concise output.

source="WinEventLog:Security" EventCode IN (628, 627, 4723, 4724)
| stats values(Target_Account_Name) as Target_Account_Name by Subject_Account_Name
| where mvcount(Target_Account_Name) > 5​

 

View solution in original post

Tags (1)

PickleRick
SplunkTrust
SplunkTrust

1. i'd check the TA windows for eventtype. There might be one already defined covering your event codes and your search would be more concise.

2. What do you mean by "does not work"?

0 Karma

mdicenzo
Explorer

Hello,

 

Thanks for the feedback. I will be more specific next time. I wasn’t aware of the dc (distinct count) option in search.

 

In the example you provided, how would I alert in which the dc has a count of over 5?

 

Thank You

0 Karma

yuanliu
SplunkTrust
SplunkTrust

dc outputs a number.  Just use it in a logical expression, like

source="WinEventLog:Security" EventCode IN (628, 627, 4723, 4724)
| stats values(Target_Account_Name) dc(Target_Account_Name) by Subject_Account_Name
| where 'dc(Target_Account_Name)' > 5

Or more customarily,

 

source="WinEventLog:Security" EventCode IN (628, 627, 4723, 4724)
| stats values(Target_Account_Name) as Target_Account_Name dc(Target_Account_Name) as Target_Account_Count by Subject_Account_Name
| where Target_Account_Count > 5​

Alternatively, you do not need to use dc.  You can perform mvcount on aggregate Target_Account_Name to give more concise output.

source="WinEventLog:Security" EventCode IN (628, 627, 4723, 4724)
| stats values(Target_Account_Name) as Target_Account_Name by Subject_Account_Name
| where mvcount(Target_Account_Name) > 5​

 

Tags (1)

mdicenzo
Explorer

Thanks for the feedback. This worked for me!

0 Karma

yuanliu
SplunkTrust
SplunkTrust

If the problem is solved, please select the answer and close.  Karma for all that helped advance the solution is also appreciated.

yuanliu
SplunkTrust
SplunkTrust

You need to tell volunteers what "doesn't work" means.  This is a phrase to be avoided in the best of scenarios.

This said, if Target_Account_Name and Subject_Account_Name are both available in raw events, maybe you are looking for distinct_count (aka dc) instead of count? Something like

source="WinEventLog:Security" EventCode IN (628, 627, 4723, 4724)
| stats dc(Target_Account_Name) by Subject_Account_Name

Hope this helps.

Tags (1)
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...