Security

Users who accessed from more than one IP address

MrWh1t3
Path Finder

Hello,

I'm currently trying to find any user that might have had successful logins from multiple source ip addresses. I've looked all over and can't seem to figure this out. Is there a way to do this within the search?

Tags (2)
0 Karma
1 Solution

MrWh1t3
Path Finder

Figured it out.... Feel free to make it better.

eventtype="windows-security-4625" | stats dc(src_ip) by Account_Name | search "dc(src_ip)" > 1 |sort "dc(src_ip)" asc

Seems to work fine, but it would be cool to have it also spit out the various src_ips. I'm still playing with it.

View solution in original post

MrWh1t3
Path Finder

Figured it out.... Feel free to make it better.

eventtype="windows-security-4625" | stats dc(src_ip) by Account_Name | search "dc(src_ip)" > 1 |sort "dc(src_ip)" asc

Seems to work fine, but it would be cool to have it also spit out the various src_ips. I'm still playing with it.

Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...