Getting Data In

Search to alert user is logged into more than 1 VPN instance concurrently

lucasedgar
Engager

Hello,
I am trying to write a search to look for an admin logged into our cisco vpn1 and vpn2 instance at the same time.

The VPN is setup to only allow one session from an admin. However, each site enforces that as each VPN setup doesn't know about the sessions at the other site. This could be used to connect maliciously with a compromise account without kicking off a legitimate admin.

Looking for something that will match when both instances are logged into by the same user account.

Thanks

Tags (3)
1 Solution

mbjerkeland_spl
Splunk Employee
Splunk Employee

Hi

I suspect something as simple as this could work:

sourcetype=cisco:asa tag=authentication tag=privileged | stats dc(host) as dc_host values(host) as values_host BY user | where dc_host > 1

You may need to refine the base search a bit and add additional BY clauses to get your desired result.

I am on a cellphone so I am not able to test it myself unfortunately.

View solution in original post

0 Karma

mbjerkeland_spl
Splunk Employee
Splunk Employee

Hi

I suspect something as simple as this could work:

sourcetype=cisco:asa tag=authentication tag=privileged | stats dc(host) as dc_host values(host) as values_host BY user | where dc_host > 1

You may need to refine the base search a bit and add additional BY clauses to get your desired result.

I am on a cellphone so I am not able to test it myself unfortunately.

View solution in original post

0 Karma

lucasedgar
Engager

That worked! Thanks for the quick reply!

It groups it by user, however I do get return values for user="*****" and when I click to hit view events I do not see any events with that username. Also the search does not seem to let me filter them out e.g. user!="*****" or NOT user="*****"

Any ideas with that?

0 Karma

mbjerkeland_spl
Splunk Employee
Splunk Employee

You're welcome.

You should be able to filter out users in the base search as well as in the end of the SPL using | search.

Can you paste the exact search you are trying as well as a screenshot of your data and possibly also the fields returned?

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!