All Apps and Add-ons

Example of how to identify users with increased login activity?

sloshburch
Splunk Employee
Splunk Employee

Does anyone have examples of how to use Splunk to identify users with increased login activity?

0 Karma
1 Solution

sloshburch
Splunk Employee
Splunk Employee

The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.

For more information on this and other examples, download the free Splunk Security Essentials app on Splunkbase.

Users tend to log into the same hosts with the same frequency as their peers. Users with notably more activity are worth investigating. They might in fact be a user or attacker that acquired a user's account credentials and are actively penetrating the company's servers.

Load data

How to implement: This example use case depends on successful logon events from Windows Security and Unix Secure data.

For Windows logon events, install the add-on for Splunk Add-on for Microsoft Windows and enable the [WinEventLog://Security] input to collect Windows Event Log security data from endpoints. For Unix-based logon events, install the add-on for Splunk Add-on for Unix and Linux and enable the [monitor:///var/log] input to collect linux_secure, aix_secure, osx_secure, and other security data from endpoints. See the Data Source Onboarding Guides for Windows Security Logs or Data Source Onboarding Guides for Linux Auth Logs for additional guidance on making sure logon events are being collected.

Run the following search to verify you are searching for normalized authentication data that is ready for this use case:

earliest=-1day index=* tag=authentication user=* src=*
| head 10

Get insights

Find users who log into more hosts than usual.

Run the following search.

index=* tag=authentication action=success 
| bucket _time span=1d
| stats dc(host) AS count BY user _time

Best practice: In searches, replace the asterisk in index=* with the name of the index that contains the data. By default, Splunk stores data in the main index. Therefore, index=* becomes index=main. Use the OR operator to specify one or multiple indexes to search. For example, index=main OR index=security. See About managing indexes and How indexing works in Splunk docs for details.

Known false positives: Any suspicious patterns should be investigate in order to determine if the logins are an appropriate behavior for the users job function.

How to respond: Complete the following steps when this search returns values:

  1. Initiate your incident response process and identify the account name associated with the suspicious domain
  2. Establish the time the event occurred and from what system the login attempt occurred
  3. Contact the user and system owners to determine if it is authorized

If the event was authorized, document the case and user credentials. If the event was not authorized, another party may have used the user credentials and additional investigation is warranted. Note that compromised credentials may be used to gain access to a broad set of systems.

Help

If no results appear, it may be because the add-ons were not deployed to the search heads, so the needed tags and fields are not defined. Deploy the add-ons to the search heads to access the needed tags and fields. See About installing Splunk add-ons in the Splunk Add-ons manual.

For troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in the Splunk Add-ons manual.

For more support, post a question to the Splunk Answers community.

View solution in original post

sloshburch
Splunk Employee
Splunk Employee

The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.

For more information on this and other examples, download the free Splunk Security Essentials app on Splunkbase.

Users tend to log into the same hosts with the same frequency as their peers. Users with notably more activity are worth investigating. They might in fact be a user or attacker that acquired a user's account credentials and are actively penetrating the company's servers.

Load data

How to implement: This example use case depends on successful logon events from Windows Security and Unix Secure data.

For Windows logon events, install the add-on for Splunk Add-on for Microsoft Windows and enable the [WinEventLog://Security] input to collect Windows Event Log security data from endpoints. For Unix-based logon events, install the add-on for Splunk Add-on for Unix and Linux and enable the [monitor:///var/log] input to collect linux_secure, aix_secure, osx_secure, and other security data from endpoints. See the Data Source Onboarding Guides for Windows Security Logs or Data Source Onboarding Guides for Linux Auth Logs for additional guidance on making sure logon events are being collected.

Run the following search to verify you are searching for normalized authentication data that is ready for this use case:

earliest=-1day index=* tag=authentication user=* src=*
| head 10

Get insights

Find users who log into more hosts than usual.

Run the following search.

index=* tag=authentication action=success 
| bucket _time span=1d
| stats dc(host) AS count BY user _time

Best practice: In searches, replace the asterisk in index=* with the name of the index that contains the data. By default, Splunk stores data in the main index. Therefore, index=* becomes index=main. Use the OR operator to specify one or multiple indexes to search. For example, index=main OR index=security. See About managing indexes and How indexing works in Splunk docs for details.

Known false positives: Any suspicious patterns should be investigate in order to determine if the logins are an appropriate behavior for the users job function.

How to respond: Complete the following steps when this search returns values:

  1. Initiate your incident response process and identify the account name associated with the suspicious domain
  2. Establish the time the event occurred and from what system the login attempt occurred
  3. Contact the user and system owners to determine if it is authorized

If the event was authorized, document the case and user credentials. If the event was not authorized, another party may have used the user credentials and additional investigation is warranted. Note that compromised credentials may be used to gain access to a broad set of systems.

Help

If no results appear, it may be because the add-ons were not deployed to the search heads, so the needed tags and fields are not defined. Deploy the add-ons to the search heads to access the needed tags and fields. See About installing Splunk add-ons in the Splunk Add-ons manual.

For troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in the Splunk Add-ons manual.

For more support, post a question to the Splunk Answers community.

sloshburch
Splunk Employee
Splunk Employee

This post has been rewritten to be simpler and apply for both Linux and Windows.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...