topic Re: Same computer multiple authentication attempts in Splunk Search

Same computer multiple authentication attempts

johann2017 — Tue, 19 Feb 2019 04:09:29 GMT

Hello. How would I write a search to show a computer that has been authenticating to multiple machines. For example, a hacker is logged into one computer (let's call it computer "A"), and from that same computer he is successfully logging onto multiple machines across the network (computers "B - Z"). How would I return the source computer "A" (or IP address) and the destination machines ("B - Z") that he has been logging into?

This is assuming I don't know what computer the hacker is on. Therefore, I imagine some sort of logon threshold from a single machine would need to be defined in order to identify this type of behavior?

Re: Same computer multiple authentication attempts

woodcock — Tue, 19 Feb 2019 04:51:38 GMT

If you are using CIM, like this:

| tstats summariesonly=t count values(dest) AS destCount
FROM datamodel=Authentication 
WHERE index=* AND nodename=Authentication.Successful_Authentication
BY Authentication.src
| where destCount >= 2

Re: Same computer multiple authentication attempts

johann2017 — Tue, 19 Feb 2019 23:10:11 GMT

No we aren't using CIM. Seems like it could be useful. It's to help give you some sort of normalization for your data?

Re: Same computer multiple authentication attempts

woodcock — Wed, 06 Mar 2019 09:03:32 GMT

Exactly. You definitely should start there and come back here after that and click Accept either on this answer or on your answer after posting what you actually did.