Security

How to write a query when two users are logged in from the same terminal?

vin02
Path Finder

A user has created other user then logged in with this user from same terminal. How to write query for this use case?

Tags (3)
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

you need to ask your data center (whoever is asking for this) to identify what kinds of transaction they are interested in. For instance, in windows, the user creation event might be represented by a Windows event code 4724 or 624. Within Active Directory, it might be represented by 4720, 4722, 4724 and/or 4738. Th logon might be a 528 or 4624. It also might be ssh/putty or other remote logons.

On the other hand, on various linux machines, you will need the wording of the actual events. are they looking for su and sudo events, pam records, or something else?

If no one around you can tell you the format you are looking for, then you have to look for yourself.

Log off, log on, then look for the records in whatever index someone says they ought to be in. Here are some other suggestions in the answer to this one:

https://answers.splunk.com/answers/548689/is-it-possible-to-monitor-sudo-and-root-users-usin.html

here is some language that someone wrote to search out this kind of data. some of it may be useful to you.

https://answers.splunk.com/answers/617340/how-can-i-tie-together-windows-logon-and-linux-ssh.html

0 Karma

vin02
Path Finder

user has created new user from splunk UI and logged in with new user in UI console.

0 Karma

somesoni2
Revered Legend

What logs you're searching on?

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...