I want made an alert witch detect user abnormal connection. I have 5 workstations integrated on Splunk. 5 users are authorized to connect to these computers. I want be alerted when an other user was connected on these computers.
Do you have any idea on how to do that please?
Thanks in advance.
Step one: get logs
Get the logs that identify which users are using the machines. Make sure these logs need to identify the machine and the user. You might be able to use an app on apps.splunk.com to parse the logs from the devices that provide the logs (e.g. you could use the "Splunk App for Windows" to get the user information from Windows machines).
For example, the Splunk App for Windows will parse out the user and destination so a search such as this should reveal who is logging into what machine:
tag=authentication | table dest user
Step two: create the baseline to filter expected logons
Update the search to filter out the logons to find logins that you don't expect. Your search will look something like this:
tag=authentication (dest=HOST-001 OR dest=HOST-002) AND (user!=administrator AND user!=john_smith) | stats count by user, dest
Step three: set up alerting
If you want the search to notify you when an unauthorized user logs in, then make the search a saved searched in the Splunk Manager and set up alerting (e.g. to get email alerts)
Logs are parsed properly and I am able to see all the users who are logged on a computer. I will try your solution as soon as possible and I will let you know. Thanks.
You can also do this without the Windows App.
You would want to configure the below search with the correct workstation and user names, and test it before you configure the alert to make sure there are no other computers or users that need to be excluded.
Then configure the alert to run hourly, or daily, or real time as you prefer. Set the alert to trigger on results greater than 0, to send an email, and to include the results.
index=main sourcetype="*security" host="workstation1" OR host="workstation2" OR host="workstation3" OR host="workstation4" OR host="workstation5" EventCode=4624 |eval Account_Name=mvindex(Account_Name,1) |search NOT Account_Name=user1 NOT Account_Name=user2 NOT Account_Name=user3 NOT Account_Name=user4 NOT Account_Name=user5 |search NOT Account_Name="*$" NOT Account_Name=system NOT Account_Name="local service" NOT Account_Name="network service" NOT Account_Name="anonymous logon" |rename Workstation_Name AS Source_Workstation ComputerName AS Target_Workstation |fillnull value=null |stats count by Account_Name Source_Workstation Target_Workstation Logon_Type