Hi,
We wonder how to monitor the smbV1 access in a domain.
We are already enabled the eventcode 3000 log on windows log.
Now we want to know who use smbV1 to access on every host:
to start we use this request:
index=windows EventCode=3000 source="WinEventLog:Microsoft-Windows-SMBServer/Audit"
but now we want to display in a table / stats ... foreach host each computers / users access to them.
Could you help us please
Hi,
Hello,
thank you for your answer.
I want to determine the active use of the old SMBv1 protocol.
Because as you may know, SMBv1 is not secure at all.
So we want to analyze all the servers in the AD with event ID 3000 and sort them according to the number of events corresponding to event code 3000 that occurred on each of them.
thanks for the reply.
I want to determine using actively the old protocol SMBv1.
Because as you may know smbv1 is not secure at all.
so we want to scan all servers in AD with event id 3000. and sort then bye tne number of event matching event code 3000 taht occure on each of them.
Regards
Hi @darphboubou ,
I haven't event samples so I cannot see the field in interesting fields panel, so, running the main search
index=windows EventCode=3000 source="WinEventLog:Microsoft-Windows-SMBServer/Audit"
which fields do you have in Interesting Fields panel?
Choose the ones to use for stats searches: e.g. if you want the number for user or for host, you could run something like:
index=windows EventCode=3000 source="WinEventLog:Microsoft-Windows-SMBServer/Audit"
| stats count BY user
or
index=windows EventCode=3000 source="WinEventLog:Microsoft-Windows-SMBServer/Audit"
| chart count OVER user BY host
then choose the fields to display in a table search:
index=windows EventCode=3000 source="WinEventLog:Microsoft-Windows-SMBServer/Audit"
| table _time host user domain action ...
As I said the most valuable job is to know what to search, then you can learn how to search in Splunk using the Search Tutorial.
Saving these searches in different dashboard's panels, you'll have your dashboard, to monitor your Use Case
Ciao.
Giuseppe
Hi @darphboubou,
you have to do two actions:
the most difficoult action is the first (usually a job in Splunk requires 70% of target technology knowledge and 30% of Splunk knowledge).
Abour Splunk knowledge, I hint to follow the Splunk Search Tutorial ( http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial ) that teach you how to search in Splunk.
So, please, describe your use cases.
Ciao.
Giuseppe