Getting Data In

Match 2 Windows Events around the same time

willadams
Contributor

I am trying to write a simple rule that correlates 2 events that would occur at the same time. For example an account that is disabled would have the following 2 events logged, 4625 and 4768. 4768 would have the type (i.e. transaction type 0x12) where 4625 woild have a failure also loogged saying "account is disabled"). I can find both of these as seperate events but how do I correlate them.

For example if I did say sourcetype="winseclogs" Eventcode=4768 I would get the info for that search and that showed Account_Name=test _time=20190101 0600. If I then did say sourcetype="winseclogs" Eventcode=4625 I would get the info for that search and that showed Account_Name=test Failure Reason="Account is disabled" _time=20190101 0600 (or even to account for slightl drift). How would I correlate these into a single search?

I tried this and it looks like it should work but not too sure sourcetype=winseclogs Eventcode=4768 [search sourcetype=winseclogs Eventcode=4625 | fields Account_Name _time]

0 Karma

dmarling
Builder

You can create a transaction that will accomplish this with the Account_Name as your field you join on:

sourcetype="winseclogs" (Eventcode=4625 OR Eventcode=4768)
| transaction Account_Name maxspan=5s
| search Eventcode=4625 Eventcode=4768

That will join the events together if they happen within 5 seconds of each other. If they truly always occur at the same exact time then you can drop that down to 1s.

If this comment/answer was helpful, please up vote it. Thank you.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...