How to trigger an alert when a user account connec...

barisca009 · ‎09-25-2014

Hi all,
How can an alert be triggered when a user account is used to connect to vpn from Internal and then used to log on to a workstation in domain network within a close time range? (ie: in 5 mins range)
Suppose that check point logs and windows security logs have been collected.
Regards.

yannK · ‎09-28-2014

Search all the events, then use a transaction per user to find those events over a particular time span, and add conditions to trigger alert.

conditions_vpn_events OR condition_login_events | transaction user maxpause=5min startswith="vpn login" endswith="workstation logon"

http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/Transaction, 1. First, find the events :

Or group by the timestamp | bucket _time span=5m then count them per user
Finally decide what should be the conditions to trigger alert | where mycondition=true
Test the search

Then you can make this a search a scheduled search with alerting, if you did the conditions well to return only alert events, setup an alert condition like : number of results >0

How to trigger an alert when a user account connects internally to VPN and to a workstation in a domain network within 5 minutes?

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability