- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Account Creation And Deletion within a given time
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Account Creation And Deletion within a given time
Hello, I'm trying to create a query to monitor when users create accounts and then within a given time window delete the account.
I've got this so far:
sourcetype=WinEventLog:Security (EventCode=630 OR EventCode=4726 OR EventCode=624 OR EventCode=4720) | eval status=case(EventCode=630, "Account Creation", EventCode=4726, "Account Creation", EventCode=624, "Account Deletion", EventCode=4720, "Account Deletion") |
The Pseudo code for what I'm looking for would be:
. . . | where Account Creation AND Account Deletion occur within x hours
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here with the modified one
index=wineventlog (EventCode=630 OR EventCode=4726 OR EventCode=624 OR EventCode=4720) |rex field=_raw "(?ms)^(?P\d+\S+\s\S*\s\w+)" | eval status=case(EventCode=630, "Account Deletion", EventCode=4726, "Account Deletion", EventCode=624, "Account Creation", EventCode=4720, "Account Creation") |transaction user startswith=status="Account Creation" endswith=status="Account Deletion" maxevents=2 | where duration < 86400 | eval Account_Created_Time=mvindex(time,0)|eval
Account_Deleted_Time=mvindex(time,1) |eval Created_Account_EventCode =mvindex(EventCode,0)|eval Deleted_Account_EventCode =mvindex(EventCode,1)|eval Account_Created_By =mvindex(src_user,0)|eval Account_Deleted_By=mvindex(src_user,1) | table Account_Created_Time Account_Created_By Created_Account_EventCode user
Account_Deleted_Time Deleted_Account_EventCode Account_Deleted_By | eval Account_Deleted_By=if(isnull(Account_Deleted_By),Account_Created_By,Account_Deleted_By) | Rename user as Account_Created_And_Deleted |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Modified query
index=wineventlog (EventCode=630 OR EventCode=4726 OR EventCode=624 OR EventCode=4720) |rex field=_raw "(?ms)^(?P\d+\S+\s\S*\s\w+)" | eval status=case(EventCode=630, "Account Deletion", EventCode=4726, "Account Deletion", EventCode=624, "Account Creation", EventCode=4720, "Account Creation") |transaction user startswith=status="Account Creation" endswith=status="Account Deletion" maxevents=2 | where duration < 86400 | eval Account_Created_Time=mvindex(time,0)|eval Account_Deleted_Time=mvindex(time,1) |eval Created_Account_EventCode =mvindex(EventCode,0)|eval Deleted_Account_EventCode =mvindex(EventCode,1)|eval Account_Created_By =mvindex(src_user,0)|eval Account_Deleted_By=mvindex(src_user,1) | table Account_Created_Time Account_Created_By Created_Account_EventCode user Account_Deleted_Time Deleted_Account_EventCode Account_Deleted_By | eval Account_Deleted_By=if(isnull(Account_Deleted_By),Account_Created_By,Account_Deleted_By) | Rename user as Account_Created_And_Deleted |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, I've got one right here for ya!
sourcetype=WinEventLog:Security (EventCode=630 OR EventCode=4726 OR EventCode=624 OR EventCode=4720) | eval status=case(EventCode=630, "Account Deletion", EventCode=4726, "Account Deletion", EventCode=624, "Account Creation", EventCode=4720, "Account Creation") |transaction user startswith=status="Account Creation" endswith=status="Account Deletion" maxevents=2 | where duration < 3600
I've tested it and get correct results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
So the event codes were improperly associated with the event descriptions, fixed that.
sourcetype=WinEventLog:Security (EventCode=630 OR EventCode=4726 OR EventCode=624 OR EventCode=4720) | eval status=case(EventCode=630, "Account Deletion", EventCode=4726, "Account Deletion", EventCode=624, "Account Creation", EventCode=4720, "Account Creation") |transaction user startswith=status="Account Creation" endswith=status="Account Deletion" maxevents=2 | where duration < 3600
This works in my environment.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
sourcetype=WinEventLog:Security (EventCode=630 OR EventCode=4726 OR EventCode=624 OR EventCode=4720) | eval status=case(EventCode=630, "Account Creation", EventCode=4726, "Account Creation", EventCode=624, "Account Deletion", EventCode=4720, "Account Deletion")
|transaction startswith=status="Account Creation" endswith=status="Account Deletion" maxevents=2 | where duration < X*3600
where X is your hours.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But this will not valid for same user who is created and deleted.
Above query is valid for X user account created and Y user account got deleted.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
