https://community.splunk.com/t5/Security/Authenication-datamodel-to-identify-when-a-breakglass-accounts/m-p/509516#M11618 <P>Hi Rich - Hope all is well? Many thanks for getting back to me and providing a solution on the SPL query for the Notable. Already tested it this morning against certain user accounts and it is working fine.&nbsp;</P><P>Thanks again for responding, it pointed me in the right direction to get this set up correctly.</P> Thu, 16 Jul 2020 13:29:00 GMT Thundercat 2020-07-16T13:29:00Z https://community.splunk.com/t5/Security/Authenication-datamodel-to-identify-when-a-breakglass-accounts/m-p/509324#M11616 <P>Hi All,</P><P>Thanks for taking the time to review this message.</P><P>I attempting to create a Splunk notable that will allow me to detect if our organisation 'breakglass' accounts have been successfully authenticated. The existing notable uses the Authentication Data Model and this has been disable in the past for some reason.<BR /><BR />I am attempting to revise this query to search not on one break glass account but for a few. The exist query looks something like this, as shown below.</P><P>| datamodel Authentication Successful_Authentication search | search Authentication.signature_id=4624 Authentication.user=Administrator NOT (host=AWD* OR ComputerName=EC2* OR ComputerName=WIN*)<BR />| rename Authentication.user as user<BR />| table src_ip, user, host<BR />| eval urgency="critical"</P><P>I have change the&nbsp;Authentication.user=Administrator specifically to the userid of the one of the breakglass account, how do I include in the search for the other accounts, by using a OR operator?&nbsp;<BR /><BR />Appreciate any guidance anyone can offer and refining this SPL query.</P><P>Many thanks in advance.</P> Wed, 15 Jul 2020 14:44:05 GMT https://community.splunk.com/t5/Security/Authenication-datamodel-to-identify-when-a-breakglass-accounts/m-p/509324#M11616 Thundercat 2020-07-15T14:44:05Z https://community.splunk.com/t5/Security/Authenication-datamodel-to-identify-when-a-breakglass-accounts/m-p/509362#M11617 <P>Yes, you can use <FONT face="courier new,courier">OR</FONT>.</P><LI-CODE lang="markup">| datamodel Authentication Successful_Authentication search | search Authentication.signature_id=4624 (Authentication.user=Administrator OR Authentication.user=foo OR Authentication.user=bar) NOT (host=AWD* OR ComputerName=EC2* OR ComputerName=WIN*) ...</LI-CODE><P>&nbsp;</P> Wed, 15 Jul 2020 17:48:56 GMT https://community.splunk.com/t5/Security/Authenication-datamodel-to-identify-when-a-breakglass-accounts/m-p/509362#M11617 richgalloway 2020-07-15T17:48:56Z https://community.splunk.com/t5/Security/Authenication-datamodel-to-identify-when-a-breakglass-accounts/m-p/509516#M11618 <P>Hi Rich - Hope all is well? Many thanks for getting back to me and providing a solution on the SPL query for the Notable. Already tested it this morning against certain user accounts and it is working fine.&nbsp;</P><P>Thanks again for responding, it pointed me in the right direction to get this set up correctly.</P> Thu, 16 Jul 2020 13:29:00 GMT https://community.splunk.com/t5/Security/Authenication-datamodel-to-identify-when-a-breakglass-accounts/m-p/509516#M11618 Thundercat 2020-07-16T13:29:00Z