Splunk Search

Need to filter search to match src_user and time from one eventcode

lgrachek
Explorer

below is what I have so far. What I need to do is match the src_user from event code 4724 and the time to events in 4738 that have the same src_user and time. And show the events in 4724 that do not have a match in event code 4738

index="wineventlog" (EventCode="4724" status=success) OR (EventCode="4738" Password_Last_Set="<never>")   | regex src_user="(\b\d{5}ss\b)|([N]\d{6}ss)|(\b\d{5})|([N]\d{6})"v  | stats  count(src_user) AS count values(src_user) by src_user,user  | where
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi lgrachek,
if you're sure that in your data you have less that 50,000 events with EventCode="4738" Password_Last_Set="", you can use a subsearch to filter events:

index=wineventlog (EventCode=4724 status=success) NOT [ search index=wineventlog EventCode=4738 Password_Last_Set="<never>") | fields user ] 
| ...

If instead you're not sure of this, you can use a search like this:

index=wineventlog (EventCode=4724 status=success) OR (EventCode=4738 Password_Last_Set="<never>")   
| regex src_user="(\b\d{5}ss\b)|([N]\d{6}ss)|(\b\d{5})|([N]\d{6})"  
| stats  dc(EventCode) AS count values(EventCode) As EventCode by src_user  
| where count=1 AND EventCode=4724

Choose between user and src_user for your BY clause.

Beware that in a stats commad you cannot have the same field in count and BY clause and that there's an extra char at the end of the rex command.

Ciao.
Giuseppe

View solution in original post

woodcock
Esteemed Legend

Like this:

 index="wineventlog" (EventCode="4724" status=success) OR (EventCode="4738" Password_Last_Set="<never>") 
| regex src_user="(\b\d{5}ss\b)|([N]\d{6}ss)|(\b\d{5})|([N]\d{6})"v 
| streamstats count(eval(EventCode="4724') AS sessionID BY src_user user
| eventstats dc(EventCode) AS EventCodes BY sessionID src_user user
| where EventCodes==1
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi lgrachek,
if you're sure that in your data you have less that 50,000 events with EventCode="4738" Password_Last_Set="", you can use a subsearch to filter events:

index=wineventlog (EventCode=4724 status=success) NOT [ search index=wineventlog EventCode=4738 Password_Last_Set="<never>") | fields user ] 
| ...

If instead you're not sure of this, you can use a search like this:

index=wineventlog (EventCode=4724 status=success) OR (EventCode=4738 Password_Last_Set="<never>")   
| regex src_user="(\b\d{5}ss\b)|([N]\d{6}ss)|(\b\d{5})|([N]\d{6})"  
| stats  dc(EventCode) AS count values(EventCode) As EventCode by src_user  
| where count=1 AND EventCode=4724

Choose between user and src_user for your BY clause.

Beware that in a stats commad you cannot have the same field in count and BY clause and that there's an extra char at the end of the rex command.

Ciao.
Giuseppe

lgrachek
Explorer

That last one works good but that one issue that I'm running into is that the src_user has 3 events in 4724 and one in 4738 at the same time as one of the event in 4724. I need to be able to see the other 2 events that are in 4724 with different times. Is that something that can be done?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi lgrachek,
let me understand, you have
with 4724: user1 user2 user3
with 4738: user2
result: user1 user3
Is it correct?
If this is your need, both my searches solve this problem.

I don't undestand what do you wait for results: the users or the events?
if the users you already have the answer,
if the events, you have to change the stats command

| stats values(_raw) AS _raw dc(EventCode) AS count values(EventCode) As EventCode by src_user

What do you mean with to see the other 2 events that are in 4724 with different times

Ciao.
Giuseppe

0 Karma

lgrachek
Explorer

Ok so what I need to show is the users that are in 4724 and not in 4738
with 4724: user1(time 1:00) user2(time 2:00) user3(time 3:00) user1(time 4:00) user3(time 5:00)
with 4738: user2(time 2:00) user1(time 4:00)
result: user1(time 1:00) user3(time 3:00) user4(time 5:00)

I need to see the user that is in 4724 that are not in 4738 at the same time as the event in 4724.
If a user has an event in both 4724 and 4738 they are going to be the same time. Windows AD is going to generate the events at the same time when the user hits ok in the AD console.

does that help?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi lgrachek,
Ok, try this:

| stats earliest(_time) AS _time dc(EventCode) AS count values(EventCode) As EventCode by src_user

Ciao.
Giuseppe

0 Karma

lgrachek
Explorer

I tried the one you just sent and I'm still not getting the blow events. I need to see the other two events that have different times but remove the 4724 and 4738 that have the same user 35204sa and the same time.

10/15/2019 11:46:25 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4724
EventType=0
Type=Information
ComputerName=
TaskCategory=User Account Management
OpCode=Info
RecordNumber=703879269
Keywords=Audit Success
Message=An attempt was made to reset an account's password.

Subject:
Security ID: \35204sa
Account Name: 35204sa
Account Domain:

Logon ID: 0x8F3D0D97

Target Account:
Security ID: \35204
Account Name: 35204

Account Domain:

10/15/2019 11:43:40 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4738
EventType=0
Type=Information
ComputerName=
TaskCategory=User Account Management
OpCode=Info
RecordNumber=703877095
Keywords=Audit Success
Message=A user account was changed.

Subject:
Security ID: \35204sa
Account Name: 35204sa
Account Domain:

Logon ID: 0x8F2A12D8

Target Account:
Security ID: \35204
Account Name: 35204

Account Domain:

10/15/2019 11:43:40 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4724
EventType=0
Type=Information
ComputerName=
TaskCategory=User Account Management
OpCode=Info
RecordNumber=703877089
Keywords=Audit Success
Message=An attempt was made to reset an account's password.

Subject:
Security ID: \35204sa
Account Name: 35204sa
Account Domain:

Logon ID: 0x8F2C27D1

Target Account:
Security ID: \35204
Account Name: 35204

Account Domain:

10/15/2019 10:59:40 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4724
EventType=0
Type=Information
ComputerName=
TaskCategory=User Account Management
OpCode=Info
RecordNumber=703846921
Keywords=Audit Success
Message=An attempt was made to reset an account's password.

Subject:
Security ID: \35204sa
Account Name: 35204sa
Account Domain:

Logon ID: 0x8E1808A6

Target Account:
Security ID: \35204
Account Name: 35204
Account Domain:

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi lgrachek,
try this:

 index=wineventlog (EventCode=4724 status=success) OR (EventCode=4738 Password_Last_Set="<never>")   
| rex "(?ms)Target Account:.*Account Name:\s+(?<user>\w*)"
| stats  dc(EventCode) AS count values(EventCode) As EventCode by user  _time
| where count=1 AND EventCode=4724

Ciao.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...