![]() It's not clear to me how to pass time as the art field from the inner to outer search without affecting the search criteria of the outer search. The difficulty with this approach is with introducing the time dimension-events occurring within 1 minute of each other. The complete search will present the relevant domain controller events. This article gives a developer’s perspective of using Splunk, get quickly acquainted with Splunk, understand SQL (Splunk Query Language) with some tips and tricks along the way to write simple, readable and optimized queries. The inner search first finds the events of interest on the desktop then passes the dvc field to the outer search renamed as the src field. How do I get a transaction based on the same value of both dvc and src? Is it possible to accomplish this with the transaction command?Īn alternate approach we've tried is use a subsearch. The transaction command first groups all events with the same dvc value, then events with the same src value. The result is 2 events/transactions instead of 1. Source=*event*.log (suser=svc_eiq OR duser=svc_eiq) (externalId=528 OR externalId=540) (cn1=10 OR cn1=2 OR cn1=3) | transaction dvc src maxspan=1m maxpause=3s The goal is to present linked events occurring within 1 minute of each other as a single transaction. The events on the DC and endpoint are linked by the dvc field on the endpoint and the src field on the DC. The events on the domain controller occur within 1 second of the logon event being generated on the endpoint. art=1261604956197 src=10.151.113.33 suser=- duser=svc_eiq cn1=3 cn1Label=LogonType dvc=10.151.118.38ĬEF:0|Microsoft|Microsoft Windows||Security:540|Successful Network Logon|Low| eventId=110124964 externalId=540 msg=Network: A user or computer logged on to this computer from the network. art=1261604956463 src=10.151.113.33 suser=- duser=svc_eiq cn1=3 cn1Label=LogonType dvc=10.151.118.38ĬEF:0|Microsoft|Microsoft Windows||Security:540|Successful Network Logon|Low| eventId=110124994 externalId=540 msg=Network: A user or computer logged on to this computer from the network. art=1261604956463 src=10.151.113.33 suser=- duser=svc_eiq cn1=3 cn1Label=LogonType dvc=10.151.118.38ĬEF:0|Microsoft|Microsoft Windows||Security:540|Successful Network Logon|Low| eventId=110125025 externalId=540 msg=Network: A user or computer logged on to this computer from the network. Sample (shortened) events from the domain controller:ĬEF:0|Microsoft|Microsoft Windows||Security:540|Successful Network Logon|Low| eventId=110125027 externalId=540 msg=Network: A user or computer logged on to this computer from the network. ![]() Sample (shortened) event from the desktop:ĬEF:0|Microsoft|Microsoft Windows||Security:528|Successful Logon|Low| eventId=9484152 externalId=528 msg=RemoteInteractive: A user logged on to this computer remotely using Terminal Services or a Remote Desktop connection. Use Case: Correlate logon events from a Windows desktop to events on the domain controller.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |