Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search to alert user is logged into more than 1 VPN instance concurrently

lucasedgar
Engager
‎01-20-2020 08:15 AM

Hello,
I am trying to write a search to look for an admin logged into our cisco vpn1 and vpn2 instance at the same time.

The VPN is setup to only allow one session from an admin. However, each site enforces that as each VPN setup doesn't know about the sessions at the other site. This could be used to connect maliciously with a compromise account without kicking off a legitimate admin.

Looking for something that will match when both instances are logged into by the same user account.

Thanks

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

mbjerkeland_spl
Splunk Employee
Splunk Employee
‎01-20-2020 10:27 AM

Hi

I suspect something as simple as this could work:

sourcetype=cisco:asa tag=authentication tag=privileged | stats dc(host) as dc_host values(host) as values_host BY user | where dc_host > 1

You may need to refine the base search a bit and add additional BY clauses to get your desired result.

I am on a cellphone so I am not able to test it myself unfortunately.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mbjerkeland_spl
Splunk Employee
Splunk Employee
‎01-20-2020 10:27 AM

Hi

I suspect something as simple as this could work:

sourcetype=cisco:asa tag=authentication tag=privileged | stats dc(host) as dc_host values(host) as values_host BY user | where dc_host > 1

You may need to refine the base search a bit and add additional BY clauses to get your desired result.

I am on a cellphone so I am not able to test it myself unfortunately.

0 Karma
Reply
Solved! Jump to solution

lucasedgar
Engager
‎01-20-2020 11:03 AM

That worked! Thanks for the quick reply!

It groups it by user, however I do get return values for user="*****" and when I click to hit view events I do not see any events with that username. Also the search does not seem to let me filter them out e.g. user!="*****" or NOT user="*****"

Any ideas with that?

0 Karma
Reply
Solved! Jump to solution

mbjerkeland_spl
Splunk Employee
Splunk Employee
‎01-20-2020 11:57 AM

You're welcome.

You should be able to filter out users in the base search as well as in the end of the SPL using | search.

Can you paste the exact search you are trying as well as a screenshot of your data and possibly also the fields returned?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...