Splunk Search

Help me with the SPL

Akhanda
Loves-to-Learn Everything

Hi,
Could some one pls help me the lateral movement which  look for a user with remote NTLM (type 3) logins on an abnormal number of destinations.

 

 


Thanks

Labels (2)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I am not sure what that ask is here

What is your concern regarding plagarism? If I rewrite this SPL and you use it, are you then not plagarising my SPL?

It is not clear what NTLM (type 3) is - could you just change the Logon_Type or LogonType part of the search to look for 3 instead of 10?

Please share some anonymised events so we can see what you are dealing with, and an indication of the expected output?

0 Karma

Akhanda
Loves-to-Learn Everything

@ITWhisperer ,

Usecase is related to Lateral movement 

Thanks.


0 Karma

Akhanda
Loves-to-Learn Everything

@ITWhisperer ,

This above query is based on  
https://www.splunk.com/en_us/blog/security/active-directory-lateral-movement-detection-threat-resear...
if possible pls help me in making a query as per the sample event.
thanks

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Sorry, I am not a security expert.

0 Karma
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...