I am searching for AD accounts that are created and deleted in a short period, but we have a multiple forest environment, and as a result, when an account is created on domain A with the same ID as an account deleted on domain B, it correlates those events. I need to limit my transaction to only correlate events that occur on the same domain.
Current search is as follows:
index=wineventlog sourcetype=wineventlog (EventCode=630 OR EventCode=4726 OR EventCode=624 OR EventCode=4720) (Account_Domain=a OR Account_Domain=b OR Account_Domain=c)
| transaction user startswith=status="Account Creation" endswith=status="Account Deletion" maxevents=2
In other words, I am trying to add a way to the above search so it only reports a short term account where the account creation domain = account deletion domain. Any help is much appreciated!
index=wineventlog sourcetype=wineventlog (EventCode=630 OR EventCode=4726 OR EventCode=624 OR EventCode=4720) (Account_Domain=a OR Account_Domain=b OR Account_Domain=c)
| reverse
| streamstats count(eval(status="Account Deletion")) as session_id by user
| eval AcctDm=case(match(Account_Domain,"a") ,"Domain_A", match(Account_Domain,"b"),"Domain B", match(Domain,"c"), "Domain C"
| stats count by AcctDm user session_id
Hi,
Is this the same result?
Something like this:
index=wineventlog sourcetype=wineventlog (EventCode=630 OR EventCode=4726 OR EventCode=624 OR EventCode=4720) (Account_Domain=a OR Account_Domain=b OR Account_Domain=c)
| transaction user startswith=status="Account Creation" endswith=status="Account Deletion" maxevents=2
| eval AcctDm=case(match(Account_Domain,"a") ,"Domain_A", match(Account_Domain,"b"),"Domain B", match(Domain,"c"), "Domain C"
| stats count by AcctDm user
Hope this helps,
Mike
Hey Mike - I appreciate the response. I have tried with similar case matching, but haven't had success generating results. I am worried that since the transaction will list 2 account domains for one result, the grouping through results will have inflated results (i.e. result has domain a and domain b listed, domain a and domain b will both receive a count for that one row).
I don't have a ton of experience with transactions, but can't you just add Account_Domain
as one of your transaction groupby fields?
| transaction user Account_Domain...
looks like that's possible based on this https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Transaction
Hey, thanks for the response! Unfortunately, adding an extra group by field doesn't seem to do the trick -- still getting the multiple domains.