Splunk Enterprise Security

How to write a query to find out users who logged into remote servers

liz23
New Member

When I write a query in splunk, I get results that also contain the intermediate active directory entries. I just need the username and the remote server he logged into in a single entry in a table without the active directory records. How do I tie these two things up.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

The answer is generally -
(1) find the format and identifying features of the records that contain information you need.
(2) find the format and identifying features of the records that do NOT contain information you need.
(3) write a query that retrieves the first group, eliminates the second group, and then processes the results to the format you want.

So, how do you find the format and identifying features of the records you want?

It sounds like you already have examples, just too many of them.

So, here's the steps

A) Pick ONE particular logon - one time when one user logged onto one computer and then logged through into another. Select all the events, including the ones that you don't need.

B) Anonymize this data by removing confidential information, masking IPs, changing the username and hostnames, and so on.

C) Post this non-confidential transaction data here in your question, along with your current search code. Be sure to mark the code and sample data both as code so that nothing gets altered by the interface.

D) Create and post the layout that you would like to see this information end up in.

Then we can tell you how to mate that all up into a search, perhaps using stats or perhaps transaction, to get what you need.

0 Karma
Get Updates on the Splunk Community!

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...