how to limit events returned at the same time base...

massumtaqi · ‎05-02-2019

I am trying to limit the events returned or number of alerts triggered at the same time or within 5 seconds if the filed "logon_type" shows same in all events.

I want to check that condition if that meets , i.e Logon_Type="!7" within 5 seconds, trigger the alert once regardless of however many kicks in. So, For example, If the logon type is 3 then only one event should show.

massumtaqi · ‎05-02-2019

EventCode=4624
| rex "(?ms)Logon Type:...(?\w+)"
| rex "(?ms)New Logon:\s+Security ID:..(?[AEW]+.\w+.\w+)"
| where Logon_Type="3" AND (Logon_Type!="10" OR Logon_Type!="2")
| where (like (Login_Security_ID,"%mtaqi.a%"))
| where Logon_GUID!="{00000000-0000-0000-0000-000000000000}"

It shows multiple events with login type 3 when i rdp into a server . i want to limit that to 1. How can i do that?

Sukisen1981 · ‎05-02-2019

Have you thought about doing it through a single alert? For example , say logon type 3 occurs 2 times during a 5 second interval and log on type 4 occurs once within the same 5 second interval, your single alert should contain a result with column header (say logon_type) with 2 row entries 1 each for types 3 and 4.
Without looking at your alert search it could be something like this - |where Logon_Type !="7" | dedup Logon_Type| table _time,Logon_Type

massumtaqi · ‎05-02-2019

IT works thanks however, i keep getting one email of logon type 3 every few minutes (not constant , 10 min , 20 min) while i am rdp into the server and not doing anything just logged in basically. how do i stop that concurrent emails as i need one email only when i use my login credential initially. Thanks again!

Sukisen1981 · ‎05-03-2019

Hi that is more of your alert search issue...we need to look at your events and see what search you are executing to generate the alert

massumtaqi · ‎05-03-2019

EventCode=4624
| rex "(?ms)Logon Type:...(?\w+)"
| rex "(?ms)New Logon:\s+Security ID:..(?[AEW]+.\w+.\w+)"
| where (like (Login_Security_ID,"%mtaqi.a%"))
| where Logon_GUID!="{00000000-0000-0000-0000-000000000000}"
| where Logon_Type="3" AND (Logon_Type!="10" OR Logon_Type!="2")
| dedup Logon_Type

This is what is am trying to execute because i want to be alerted when my admin account (.a) is used. When i log in to the server and stay in and do nothing , the event triggers every 5 to 20 minutes on logon type 3 that i dont want, as i want to be alerted only once

For example, if my .a account is used to run a script that would create another .a account without actually logging in or RDP in to the sever, i should be alerted once with logon type 3. Therefore, i put where clause on logon type 3 if there is no preceding logon type 2 or 10.

Please advise!

woodcock · ‎05-02-2019

Your question is very unclear but there is a throttling mechanism in the save dialog that has many options, including checking recent field values. If you need more direct control, you can add | outputlookup alert_tracking.csv and save this as a simple report and have another search which is the actual alert start with |inputlookup alert_tracking.csv followed by the throttling logic that you need.

massumtaqi · ‎05-03-2019

Thanks for you response but am looking for what i mentioned in above comment with sukisen. I appreciate your response though!

how to limit events returned at the same time based on the field "logon_type"

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...