Splunk Search

Help me with the SPL

Akhanda
Engager

Hi,
Could some one pls help me the lateral movement which  look for a user with remote NTLM (type 3) logins on an abnormal number of destinations.

 

 


Thanks

Labels (2)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I am not sure what that ask is here

What is your concern regarding plagarism? If I rewrite this SPL and you use it, are you then not plagarising my SPL?

It is not clear what NTLM (type 3) is - could you just change the Logon_Type or LogonType part of the search to look for 3 instead of 10?

Please share some anonymised events so we can see what you are dealing with, and an indication of the expected output?

0 Karma

Akhanda
Engager

@ITWhisperer ,

Usecase is related to Lateral movement 

Thanks.


0 Karma

Akhanda
Engager

@ITWhisperer ,

This above query is based on  
https://www.splunk.com/en_us/blog/security/active-directory-lateral-movement-detection-threat-resear...
if possible pls help me in making a query as per the sample event.
thanks

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Sorry, I am not a security expert.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...