Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Re: Attempting to Track authentications from a si...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Attempting to Track authentications from a single src to many destinations within a time period
This is the current query, but it's not really providing the needed data for the search.
index=main sourcetype=XmlWinEventLog EventCode=4624 Logon_Type=3
| transaction src maxspan=10m maxpause=2m
| stats dc(dest) as Dest_Count, values(dest) as Target_Systems by src
| search Dest_Count >35
| sort - Dest_Count
I really don't care about the Dest_Count >35 it was and attempt to gather something to start with. I was told to research the transaction command to obtain the required results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The transaction command may help, but not with those options.
| transaction src maxspan=10m maxpause=2msays to combine events with the same value in the src field and to close the transaction after 10 minutes or if there is a gap of at least 2 minutes between events. That doesn't meet the requirements as I understand them. Perhaps this will get you closer:
index=main sourcetype=XmlWinEventLog EventCode=4624 Logon_Type=3
| transaction src maxspan=2m
| where eventcount > 10
| sort - eventcount Be warned that transaction is an inefficient command. A faster method uses streamstats (adapted from https://community.splunk.com/t5/Splunk-Search/Multiple-Login-Failure-Attempts/td-p/325933)
index=main sourcetype=XmlWinEventLog EventCode=4624 Logon_Type=3
| streamstats time_window=2m dc(dest) AS Dest_Count BY src
| where Dest_Count >= 10
| sort - Dest_CountIf this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How would I combine this output to look similar to this, as and example . I may have selected the wrong options, but the requirements are still the same.
SRC(Source System) Dest_count Target_Systems
Host123 5 Hosta
Hostb
Hostc
Hostd
Hoste
Hoste
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this. The stats command does the grouping you seek.
index=main sourcetype=XmlWinEventLog EventCode=4624 Logon_Type=3
| streamstats time_window=2m dc(dest) AS Dest_Count BY src
| where Dest_Count >= 10
| stats values(Dest_Count) as Dest_Count, values(dest) as Target_Systems by src
| sort - Dest_CountIf this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your response,
The required results is to determine if a system singe system was logging into multiple systems within a time period. If system credentials were compromised they may be logging into multiple systems within a time span. I understand event 4624 is a legitimate log, but it may indicate a possible issue if logging from the same system into multiple devices. I really don't need the | where Dest_Count >35. I need to know for example within 2 minutes if 10 successful logins from the same system. That's why I was attempting to use the | transaction src maxspan=10m maxpause=2m. I hope that clears up the requirements.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your response,
The required results is to determine if a system singe system was logging into multiple systems within a time period. If system credentials were compromised they may be logging into multiple systems within a time span. I understand event 4624 is a legitimate log, but it may indicate a possible issue if logging from the same system into multiple devices. I really don't need the | where Dest_Count >35. I need to know for example within 2 minutes if 10 successful logins from the same system. That's why I was attempting to use the | transaction src maxspan=10m maxpause=2m. I hope that clears up the requirements.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It would help if you said what the required results are, but I think the transaction command is not needed. Try this query, which assumes the dest and src fields already exist.
index=main sourcetype=XmlWinEventLog EventCode=4624 Logon_Type=3
| stats dc(dest) as Dest_Count, values(dest) as Target_Systems by src
| where Dest_Count >35
| sort - Dest_Count
If this reply helps you, Karma would be appreciated.
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
