Security

How to search and identify possible extranet sharepoint servers that authenticate 5 or more users in the environment?

majidlodhi
Explorer

I need to create a list of possible extranet sharepoint servers that authenticate (failed or successful) 5 or more users in the environment. I am still new to splunk and having a hard time. I need to list the servers IP address.

I have created the below query:

sourcetype="WinEventLog:Security" Account_Name!=*$ "tag::action"=success OR "tag::action"=failure | stats  count by EventCode, src | sort -count

I am having trouble figuring out which field would the server be under so I can pull the IP for it. I added the SRC in there, but I believe that it's wrong as I am getting way too many IP's. I tried many different combinations, but it didn't work.

Any tips please?

0 Karma
1 Solution

joshd
Builder

The src would be the source of the authentication event, generally in Windows logs this would be the source IP address for the user that was authenticating. If the data is coming directly into Splunk thru a forwarder and Im assuming (based on your use of the src field) that the SA/TA for Windows is in use to make your data CIM compliant then you have two options:

  1. Non-CIM... use the host field ' ... | stats count by EventCode, host | ... '
  2. CIM compliant.. use the dest field ' ... | stats count by EventCode, dest | ... '

Just to add a little more to this ... to only have a table of those with 5 or more add a ' ... | where count>4 ' onto the end.

View solution in original post

joshd
Builder

The src would be the source of the authentication event, generally in Windows logs this would be the source IP address for the user that was authenticating. If the data is coming directly into Splunk thru a forwarder and Im assuming (based on your use of the src field) that the SA/TA for Windows is in use to make your data CIM compliant then you have two options:

  1. Non-CIM... use the host field ' ... | stats count by EventCode, host | ... '
  2. CIM compliant.. use the dest field ' ... | stats count by EventCode, dest | ... '

Just to add a little more to this ... to only have a table of those with 5 or more add a ' ... | where count>4 ' onto the end.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...