Hi all,
How can an alert be triggered when a user account is used to connect to vpn from Internal and then used to log on to a workstation in domain network within a close time range? (ie: in 5 mins range)
Suppose that check point logs and windows security logs have been collected.
Regards.
Search all the events, then use a transaction per user to find those events over a particular time span, and add conditions to trigger alert.
conditions_vpn_events OR condition_login_events | transaction user maxpause=5min startswith="vpn login" endswith="workstation logon"
http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/Transaction, 1. First, find the events :
Or group by the timestamp | bucket _time span=5m
then count them per user
Finally decide what should be the conditions to trigger alert | where mycondition=true
Test the search
Then you can make this a search a scheduled search with alerting, if you did the conditions well to return only alert events, setup an alert condition like : number of results >0