Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search and identify possible extranet sharepoint servers that authenticate 5 or more users in the environment?

majidlodhi
Explorer
‎01-23-2015 12:51 PM

I need to create a list of possible extranet sharepoint servers that authenticate (failed or successful) 5 or more users in the environment. I am still new to splunk and having a hard time. I need to list the servers IP address.

I have created the below query:

sourcetype="WinEventLog:Security" Account_Name!=*$ "tag::action"=success OR "tag::action"=failure | stats  count by EventCode, src | sort -count

I am having trouble figuring out which field would the server be under so I can pull the IP for it. I added the SRC in there, but I believe that it's wrong as I am getting way too many IP's. I tried many different combinations, but it didn't work.

Any tips please?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

joshd
Builder
‎01-23-2015 01:27 PM

The src would be the source of the authentication event, generally in Windows logs this would be the source IP address for the user that was authenticating. If the data is coming directly into Splunk thru a forwarder and Im assuming (based on your use of the src field) that the SA/TA for Windows is in use to make your data CIM compliant then you have two options:

  1. Non-CIM... use the host field ' ... | stats count by EventCode, host | ... '
  2. CIM compliant.. use the dest field ' ... | stats count by EventCode, dest | ... '

Just to add a little more to this ... to only have a table of those with 5 or more add a ' ... | where count>4 ' onto the end.

View solution in original post

Reply
Solved! Jump to solution
Solution

joshd
Builder
‎01-23-2015 01:27 PM

The src would be the source of the authentication event, generally in Windows logs this would be the source IP address for the user that was authenticating. If the data is coming directly into Splunk thru a forwarder and Im assuming (based on your use of the src field) that the SA/TA for Windows is in use to make your data CIM compliant then you have two options:

  1. Non-CIM... use the host field ' ... | stats count by EventCode, host | ... '
  2. CIM compliant.. use the dest field ' ... | stats count by EventCode, dest | ... '

Just to add a little more to this ... to only have a table of those with 5 or more add a ' ... | where count>4 ' onto the end.

Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...