Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Help me with the SPL

Akhanda
Loves-to-Learn Everything
‎03-04-2024 02:28 AM

Hi,
Could some one pls help me the lateral movement which  look for a user with remote NTLM (type 3) logins on an abnormal number of destinations.

 

 


Thanks

Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-04-2024 02:42 AM

I am not sure what that ask is here

What is your concern regarding plagarism? If I rewrite this SPL and you use it, are you then not plagarising my SPL?

It is not clear what NTLM (type 3) is - could you just change the Logon_Type or LogonType part of the search to look for 3 instead of 10?

Please share some anonymised events so we can see what you are dealing with, and an indication of the expected output?

0 Karma
Reply

Akhanda
Loves-to-Learn Everything
‎03-04-2024 04:36 AM

@ITWhisperer ,

Usecase is related to Lateral movement 

Thanks.


0 Karma
Reply

Akhanda
Loves-to-Learn Everything
‎03-05-2024 05:44 AM

@ITWhisperer ,

This above query is based on  
https://www.splunk.com/en_us/blog/security/active-directory-lateral-movement-detection-threat-resear...
if possible pls help me in making a query as per the sample event.
thanks

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-05-2024 07:10 AM

Sorry, I am not a security expert.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...