Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Re: Attempting to Track authentications from a si...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Attempting to Track authentications from a single src to many destinations within a time period
This is the current query, but it's not really providing the needed data for the search.
index=main sourcetype=XmlWinEventLog EventCode=4624 Logon_Type=3
| transaction src maxspan=10m maxpause=2m
| stats dc(dest) as Dest_Count, values(dest) as Target_Systems by src
| search Dest_Count >35
| sort - Dest_Count
I really don't care about the Dest_Count >35 it was and attempt to gather something to start with. I was told to research the transaction command to obtain the required results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The transaction command may help, but not with those options.
| transaction src maxspan=10m maxpause=2msays to combine events with the same value in the src field and to close the transaction after 10 minutes or if there is a gap of at least 2 minutes between events. That doesn't meet the requirements as I understand them. Perhaps this will get you closer:
index=main sourcetype=XmlWinEventLog EventCode=4624 Logon_Type=3
| transaction src maxspan=2m
| where eventcount > 10
| sort - eventcount Be warned that transaction is an inefficient command. A faster method uses streamstats (adapted from https://community.splunk.com/t5/Splunk-Search/Multiple-Login-Failure-Attempts/td-p/325933)
index=main sourcetype=XmlWinEventLog EventCode=4624 Logon_Type=3
| streamstats time_window=2m dc(dest) AS Dest_Count BY src
| where Dest_Count >= 10
| sort - Dest_CountIf this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How would I combine this output to look similar to this, as and example . I may have selected the wrong options, but the requirements are still the same.
SRC(Source System) Dest_count Target_Systems
Host123 5 Hosta
Hostb
Hostc
Hostd
Hoste
Hoste
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this. The stats command does the grouping you seek.
index=main sourcetype=XmlWinEventLog EventCode=4624 Logon_Type=3
| streamstats time_window=2m dc(dest) AS Dest_Count BY src
| where Dest_Count >= 10
| stats values(Dest_Count) as Dest_Count, values(dest) as Target_Systems by src
| sort - Dest_CountIf this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your response,
The required results is to determine if a system singe system was logging into multiple systems within a time period. If system credentials were compromised they may be logging into multiple systems within a time span. I understand event 4624 is a legitimate log, but it may indicate a possible issue if logging from the same system into multiple devices. I really don't need the | where Dest_Count >35. I need to know for example within 2 minutes if 10 successful logins from the same system. That's why I was attempting to use the | transaction src maxspan=10m maxpause=2m. I hope that clears up the requirements.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your response,
The required results is to determine if a system singe system was logging into multiple systems within a time period. If system credentials were compromised they may be logging into multiple systems within a time span. I understand event 4624 is a legitimate log, but it may indicate a possible issue if logging from the same system into multiple devices. I really don't need the | where Dest_Count >35. I need to know for example within 2 minutes if 10 successful logins from the same system. That's why I was attempting to use the | transaction src maxspan=10m maxpause=2m. I hope that clears up the requirements.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It would help if you said what the required results are, but I think the transaction command is not needed. Try this query, which assumes the dest and src fields already exist.
index=main sourcetype=XmlWinEventLog EventCode=4624 Logon_Type=3
| stats dc(dest) as Dest_Count, values(dest) as Target_Systems by src
| where Dest_Count >35
| sort - Dest_Count
If this reply helps you, Karma would be appreciated.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
