Re: Return results only if Previous_Time and New_T...

evallja · ‎08-15-2023

Hello everyone,

I have the below fields and I want the search to generate only the results when Previous_Time and New_Time difference is more than 5s:

_time	host	EventCode	EventCodeDescription	Name	Previous_Time	New_Time
Tue Aug 15 09:35:01 2023	hostname	4616	The system time was changed.	C:\Program Files (x86)\TrueTime\WinSync\WinSync.exe	‎2023‎-‎08‎-‎15T07:35:01.152758200Z	‎2023‎-‎08‎-‎15T07:35:01.152000000Z

Thank you.

ITWhisperer · ‎08-15-2023

You need to parse the time strings into numeric times, then you can calculate the difference

| eval Previous_Time=strptime(Previous_Time,"%Y-%m-%dT%T.%9N%Z")
| eval New_Time=strptime(New_Time,"%Y-%m-%dT%T.%9N%Z")
| eval diff=abs(Previous_Time - New_Time)
| where diff > 5

evallja · ‎08-15-2023

I have tried the eval command before for this case, but just like in this search, it will return blank field values for Previous_Time and New_Time fields.

I even tried to change their names by creating totally new fields but still the same results.

ITWhisperer · ‎08-15-2023

I am not sure I understand what the issue is - this code works with the samples you have given, although perhaps the samples are not an accurate representation of your events.

Please can you share anonymised samples of your actual events, preferably in a code block </> to prevent loss of information due to formatting changes.

evallja · ‎08-15-2023

The table is copied from the results, the only field value I anonymized is the host value "hostname".

However, if it helps I am also pasting the _raw text changing only the sensitive info to "Anonymized"

08/15/2023 09:35:01 AM

LogName=Security

SourceName=Microsoft Windows security auditing.

EventCode=4616

EventType=0

Type=Information

ComputerName=Anonymized

TaskCategory=Security State Change

OpCode=Info

RecordNumber=828401024

Keywords=Audit Success

Message=The system time was changed.

Subject:

Security ID: Anonymized\Administrator

Account Name: Administrator

Account Domain: Anonymized

Logon ID: 0x1B00AE

Process Information:

Process ID: 0x231c

Name: C:\Program Files (x86)\TrueTime\WinSync\WinSync.exe

Previous Time: ‎2023‎-‎08‎-‎15T07:35:01.152758200Z

New Time: ‎2023‎-‎08‎-‎15T07:35:01.152000000Z

ITWhisperer · ‎08-15-2023

Wow! you have some extra characters in there, no wonder the parsing didn't work! Please try this

| eval Previous_Time=strptime(Previous_Time,"<u+200e>%Y<u+200e>-<u+200e>%m<u+200e>-<u+200e>%dT%T.%9N%Z")
| eval New_Time=strptime(New_Time,"<u+200e>%Y<u+200e>-<u+200e>%m<u+200e>-<u+200e>%dT%T.%9N%Z")
| eval diff=abs(Previous_Time - New_Time)

evallja · ‎08-15-2023

Still not working... As I already spent too much time on this search I'm going with regex as below:

| rex field=Previous_Time "T(?P<Previous_Time>.([0-9]+(:[0-9]+)+))"

| rex field=New_Time "T(?P<New_Time>.([0-9]+(:[0-9]+)+))"

and then I will use "where" for the other filtering about the exact difference I want to choose (which also shall remain anonymized).

Thank you for your replies and your time!
Best regards.

How to return results only if Previous_Time and New_Time difference is more than 5s?

time

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!