Alerting

How can I create an alert to notify when an action is not done within "X" days?

DeanDeleon0
Path Finder

Hello,

We have a search that will show both an Active Directory account that has been set to expire and it will also show if the account was moved to the correct Organizational Unit.

EventCode=4738 Account_Expires!="-" | eval  Account_Name=mvindex(Account_Name, -1) | table _time, Account_Name, Account_Expires| append [|search  EventCode=5139 [|search EventCode=4738 Account_Expires!="-" | eval  Account_Name=mvindex(Account_Name, -1) |eval New_DN="CN=".replace(Account_Name,"\."," ").",OU=*,OU=Users - Disabled,DC=testdomain,DC=ca" | table New_DN] |table _time, Account_Name, New_DN, Old_DN]

We would like to create an alert that would notify us if there is no match between the two with approximately 7 days. For example, as per the image below, an alert would notify us that "Wally.West" has not been moved to the Disabled OU within 7 days.

alt text

Any help with this would be greatly appreciated.

Tags (2)
0 Karma
1 Solution

DeanDeleon0
Path Finder

Ok, so we went back to the drawing board with this one and ended up changing how we search for the information. We have a task that collects the AD user data into a lookup table and am now able to show the SamAccountName, DistinguishedName, AccountExpires and has it set to show accounts that have reached over 10 days of the expires date :

| inputlookup ad-user-lookup |  eval expires=strptime(AccountExpires,"%m/%d/%Y %H:%M:%S %p") | eval is_interesting=if(expires<now()-60*60*24*10,1,0) | search is_interesting=1 NOT DistinguishedName="*,OU=Users - Disabled,DC=testdomain,DC=ca" NOT DistinguishedName="*,OU=Training*" NOT DistinguishedName="*OU=Users - On Leave,DC=testdomain,DC=ca" | table SamAccountName, DistinguishedName, AccountExpires, expires, is_interesting

This will help us identify accounts that had an expire date set that are not in the On leave, Disabled or training OU's after 10 days.

View solution in original post

0 Karma

DeanDeleon0
Path Finder

Ok, so we went back to the drawing board with this one and ended up changing how we search for the information. We have a task that collects the AD user data into a lookup table and am now able to show the SamAccountName, DistinguishedName, AccountExpires and has it set to show accounts that have reached over 10 days of the expires date :

| inputlookup ad-user-lookup |  eval expires=strptime(AccountExpires,"%m/%d/%Y %H:%M:%S %p") | eval is_interesting=if(expires<now()-60*60*24*10,1,0) | search is_interesting=1 NOT DistinguishedName="*,OU=Users - Disabled,DC=testdomain,DC=ca" NOT DistinguishedName="*,OU=Training*" NOT DistinguishedName="*OU=Users - On Leave,DC=testdomain,DC=ca" | table SamAccountName, DistinguishedName, AccountExpires, expires, is_interesting

This will help us identify accounts that had an expire date set that are not in the On leave, Disabled or training OU's after 10 days.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try (your alert should fire when below search result returns a results or number of events are greater than zero)

EventCode=4738 Account_Expires!="-" | eval  Account_Name=mvindex(Account_Name, -1) | table _time, Account_Name, Account_Expires
| append [|search  EventCode=5139 [|search EventCode=4738 Account_Expires!="-" | eval  Account_Name=mvindex(Account_Name, -1) |eval New_DN="CN=".replace(Account_Name,"\."," ").",OU=*,OU=Users - Disabled,DC=testdomain,DC=ca" | eval TransferTime=_time | table TransferTime Account_Name New_DN] 
|stats values(TransferTime) as TransferTime values(New_DN) as New_DN values(Account_Expires) as Account_Expired by Account_Name
| where isnull(TransferTime) OR abs(TransferTime-_time)>7*86400
0 Karma

DeanDeleon0
Path Finder

Hi, thank you for the response!

I gave it a go and unfortunately it does not seem to be returning correct data. It had a mismatched "]", so I added it after "New_DN]]"

EventCode=4738 Account_Expires!="-" | eval  Account_Name=mvindex(Account_Name, -1) | table _time, Account_Name, Account_Expires
 | append [|search  EventCode=5139 [|search EventCode=4738 Account_Expires!="-" | eval  Account_Name=mvindex(Account_Name, -1) |eval New_DN="CN=".replace(Account_Name,"\."," ").",OU=*,OU=Users - Disabled,DC=testdomain,DC=ca" | eval TransferTime=_time | table TransferTime Account_Name New_DN]]
 |stats values(TransferTime) as TransferTime values(New_DN) as New_DN values(Account_Expires) as Account_Expired by Account_Name
 | where isnull(TransferTime) OR abs(TransferTime-_time)>7*86400

I am wondering if it is because the original search converts the account name from "bruce.wayne" to "bruce wayne" (period to a space).

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...