All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Example of how to identify users with increased login activity?

sloshburch
Splunk Employee
Splunk Employee
‎11-20-2019 08:53 AM

Does anyone have examples of how to use Splunk to identify users with increased login activity?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sloshburch
Splunk Employee
Splunk Employee
‎11-20-2019 08:57 AM

The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.

For more information on this and other examples, download the free Splunk Security Essentials app on Splunkbase.

Users tend to log into the same hosts with the same frequency as their peers. Users with notably more activity are worth investigating. They might in fact be a user or attacker that acquired a user's account credentials and are actively penetrating the company's servers.

Load data

How to implement: This example use case depends on successful logon events from Windows Security and Unix Secure data.

For Windows logon events, install the add-on for Splunk Add-on for Microsoft Windows and enable the [WinEventLog://Security] input to collect Windows Event Log security data from endpoints. For Unix-based logon events, install the add-on for Splunk Add-on for Unix and Linux and enable the [monitor:///var/log] input to collect linux_secure, aix_secure, osx_secure, and other security data from endpoints. See the Data Source Onboarding Guides for Windows Security Logs or Data Source Onboarding Guides for Linux Auth Logs for additional guidance on making sure logon events are being collected.

Run the following search to verify you are searching for normalized authentication data that is ready for this use case: 

earliest=-1day index=* tag=authentication user=* src=*

| head 10

Get insights

Find users who log into more hosts than usual.

Run the following search.

index=* tag=authentication action=success 

| bucket _time span=1d 

| stats dc(host) AS count BY user _time

Best practice: In searches, replace the asterisk in index=* with the name of the index that contains the data. By default, Splunk stores data in the main index. Therefore, index=* becomes index=main. Use the OR operator to specify one or multiple indexes to search. For example, index=main OR index=security. See About managing indexes and How indexing works in Splunk docs for details.

Known false positives: Any suspicious patterns should be investigate in order to determine if the logins are an appropriate behavior for the users job function.

How to respond: Complete the following steps when this search returns values:

  1. Initiate your incident response process and identify the account name associated with the suspicious domain
  2. Establish the time the event occurred and from what system the login attempt occurred
  3. Contact the user and system owners to determine if it is authorized

If the event was authorized, document the case and user credentials. If the event was not authorized, another party may have used the user credentials and additional investigation is warranted. Note that compromised credentials may be used to gain access to a broad set of systems.

Help

If no results appear, it may be because the add-ons were not deployed to the search heads, so the needed tags and fields are not defined. Deploy the add-ons to the search heads to access the needed tags and fields. See About installing Splunk add-ons in the Splunk Add-ons manual.

For troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in the Splunk Add-ons manual.

For more support, post a question to the Splunk Answers community.

View solution in original post

Reply
Solved! Jump to solution
Solution

sloshburch
Splunk Employee
Splunk Employee
‎11-20-2019 08:57 AM

The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.

For more information on this and other examples, download the free Splunk Security Essentials app on Splunkbase.

Users tend to log into the same hosts with the same frequency as their peers. Users with notably more activity are worth investigating. They might in fact be a user or attacker that acquired a user's account credentials and are actively penetrating the company's servers.

Load data

How to implement: This example use case depends on successful logon events from Windows Security and Unix Secure data.

For Windows logon events, install the add-on for Splunk Add-on for Microsoft Windows and enable the [WinEventLog://Security] input to collect Windows Event Log security data from endpoints. For Unix-based logon events, install the add-on for Splunk Add-on for Unix and Linux and enable the [monitor:///var/log] input to collect linux_secure, aix_secure, osx_secure, and other security data from endpoints. See the Data Source Onboarding Guides for Windows Security Logs or Data Source Onboarding Guides for Linux Auth Logs for additional guidance on making sure logon events are being collected.

Run the following search to verify you are searching for normalized authentication data that is ready for this use case: 

earliest=-1day index=* tag=authentication user=* src=*

| head 10

Get insights

Find users who log into more hosts than usual.

Run the following search.

index=* tag=authentication action=success 

| bucket _time span=1d 

| stats dc(host) AS count BY user _time

Best practice: In searches, replace the asterisk in index=* with the name of the index that contains the data. By default, Splunk stores data in the main index. Therefore, index=* becomes index=main. Use the OR operator to specify one or multiple indexes to search. For example, index=main OR index=security. See About managing indexes and How indexing works in Splunk docs for details.

Known false positives: Any suspicious patterns should be investigate in order to determine if the logins are an appropriate behavior for the users job function.

How to respond: Complete the following steps when this search returns values:

  1. Initiate your incident response process and identify the account name associated with the suspicious domain
  2. Establish the time the event occurred and from what system the login attempt occurred
  3. Contact the user and system owners to determine if it is authorized

If the event was authorized, document the case and user credentials. If the event was not authorized, another party may have used the user credentials and additional investigation is warranted. Note that compromised credentials may be used to gain access to a broad set of systems.

Help

If no results appear, it may be because the add-ons were not deployed to the search heads, so the needed tags and fields are not defined. Deploy the add-ons to the search heads to access the needed tags and fields. See About installing Splunk add-ons in the Splunk Add-ons manual.

For troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in the Splunk Add-ons manual.

For more support, post a question to the Splunk Answers community.

Reply
Solved! Jump to solution

sloshburch
Splunk Employee
Splunk Employee
‎01-15-2020 08:04 AM

This post has been rewritten to be simpler and apply for both Linux and Windows.

0 Karma
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...