Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search to alert user is logged into more than 1 VPN instance concurrently

lucasedgar
Engager
‎01-20-2020 08:15 AM

Hello,
I am trying to write a search to look for an admin logged into our cisco vpn1 and vpn2 instance at the same time.

The VPN is setup to only allow one session from an admin. However, each site enforces that as each VPN setup doesn't know about the sessions at the other site. This could be used to connect maliciously with a compromise account without kicking off a legitimate admin.

Looking for something that will match when both instances are logged into by the same user account.

Thanks

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

mbjerkeland_spl
Splunk Employee
Splunk Employee
‎01-20-2020 10:27 AM

Hi

I suspect something as simple as this could work:

sourcetype=cisco:asa tag=authentication tag=privileged | stats dc(host) as dc_host values(host) as values_host BY user | where dc_host > 1

You may need to refine the base search a bit and add additional BY clauses to get your desired result.

I am on a cellphone so I am not able to test it myself unfortunately.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mbjerkeland_spl
Splunk Employee
Splunk Employee
‎01-20-2020 10:27 AM

Hi

I suspect something as simple as this could work:

sourcetype=cisco:asa tag=authentication tag=privileged | stats dc(host) as dc_host values(host) as values_host BY user | where dc_host > 1

You may need to refine the base search a bit and add additional BY clauses to get your desired result.

I am on a cellphone so I am not able to test it myself unfortunately.

0 Karma
Reply
Solved! Jump to solution

lucasedgar
Engager
‎01-20-2020 11:03 AM

That worked! Thanks for the quick reply!

It groups it by user, however I do get return values for user="*****" and when I click to hit view events I do not see any events with that username. Also the search does not seem to let me filter them out e.g. user!="*****" or NOT user="*****"

Any ideas with that?

0 Karma
Reply
Solved! Jump to solution

mbjerkeland_spl
Splunk Employee
Splunk Employee
‎01-20-2020 11:57 AM

You're welcome.

You should be able to filter out users in the base search as well as in the end of the SPL using | search.

Can you paste the exact search you are trying as well as a screenshot of your data and possibly also the fields returned?

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...