Let me first say, I'm sure I could write a search that essentially returns what I'm looking for, however due to the amount and nature of the data it would not be an fast running search. I'm looking to broaden my horizons using data models and acceleration to make this more efficient.
The goal: provide daily reports on activity for "flagged" accounts, only WHILE they are flagged. Ex, if an account is flagged from 5/16/2018 12:00 pm to 2:00 pm, I'd like to find authentication activity for that account during that 2 hour period for which it was flagged.
I can easily write a search to return a list of accounts which had been flagged and the time span they were flagged for, but, I'm looking for advice on efficient ways to find the authentication events related to that flagged period. We have ES, with an accelerated authentication data model, though I don't have a good sense of how to apply my query to it. Would this be a custom correlation search in ES?
Any suggestions, links, examples are highly appreciated.
Thank you.
How many users do you typically have flagged at one time? How do you go about flagging them in Splunk (just adding to a lookup table maybe)? I haven't worked with ES, but could imagine building something around this with a couple lookups (csv or kvstore) and a scheduled search. One lookup one contain flagged users (update manually or with lookup editor or some other automation), and your scheduled search would constantly scan the last minute, every minute for auth events that match users in that lookup. The search would then input the auth events lookup, find new data in the last minute for matching users, remove users that don't exist anymore, and re-write the lookup.
If you're going the ES route, a data model acceleration allows you to use tstats as a fast command to return results. I would assume if you dig into the macros for what's populating your dashboards, you'll find the searches they use behind the scenes.