- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to limit transactions to only correlate ev...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to limit transactions to only correlate events on same domain
I am searching for AD accounts that are created and deleted in a short period, but we have a multiple forest environment, and as a result, when an account is created on domain A with the same ID as an account deleted on domain B, it correlates those events. I need to limit my transaction to only correlate events that occur on the same domain.
Current search is as follows:
index=wineventlog sourcetype=wineventlog (EventCode=630 OR EventCode=4726 OR EventCode=624 OR EventCode=4720) (Account_Domain=a OR Account_Domain=b OR Account_Domain=c)
| transaction user startswith=status="Account Creation" endswith=status="Account Deletion" maxevents=2
In other words, I am trying to add a way to the above search so it only reports a short term account where the account creation domain = account deletion domain. Any help is much appreciated!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=wineventlog sourcetype=wineventlog (EventCode=630 OR EventCode=4726 OR EventCode=624 OR EventCode=4720) (Account_Domain=a OR Account_Domain=b OR Account_Domain=c)
| reverse
| streamstats count(eval(status="Account Deletion")) as session_id by user
| eval AcctDm=case(match(Account_Domain,"a") ,"Domain_A", match(Account_Domain,"b"),"Domain B", match(Domain,"c"), "Domain C"
| stats count by AcctDm user session_id
Hi,
Is this the same result?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Something like this:
index=wineventlog sourcetype=wineventlog (EventCode=630 OR EventCode=4726 OR EventCode=624 OR EventCode=4720) (Account_Domain=a OR Account_Domain=b OR Account_Domain=c)
| transaction user startswith=status="Account Creation" endswith=status="Account Deletion" maxevents=2
| eval AcctDm=case(match(Account_Domain,"a") ,"Domain_A", match(Account_Domain,"b"),"Domain B", match(Domain,"c"), "Domain C"
| stats count by AcctDm user
Hope this helps,
Mike
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Mike - I appreciate the response. I have tried with similar case matching, but haven't had success generating results. I am worried that since the transaction will list 2 account domains for one result, the grouping through results will have inflated results (i.e. result has domain a and domain b listed, domain a and domain b will both receive a count for that one row).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't have a ton of experience with transactions, but can't you just add Account_Domain as one of your transaction groupby fields?
| transaction user Account_Domain... looks like that's possible based on this https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Transaction
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey, thanks for the response! Unfortunately, adding an extra group by field doesn't seem to do the trick -- still getting the multiple domains.
Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users
Everything Community at .conf24!
Index This | I’m short for "configuration file.” What am I?
