Re: Search for Users that are not allowed.

kbohlken · ‎02-28-2022

I have a small environment. I have 3 users that are allowed to login to a particular server. If I search:

index=<index name> user=<username> OR user=<username> OR user=<username>

I find all instances of them logging in. How can I find users that are not equal to those 3 users? I want to set up an alert that will let me know when someone other than those 3 are trying to log in.

gcusello · ‎02-28-2022

Hi @kbohlken,

if you're speaking of login to Splunk, you can use this search:

Splunk_Audit eventtype

index=_audit sourcetype = audittrail action="login attempt"

Splunk_Logfail

eventtype=Splunk_Audit info=failed

Splunk_Login

eventtype=Splunk_Audit info=succeeded

Ciao.

Giuseppe

kbohlken · ‎02-28-2022

Not logging into Splunk. I have a server that forwards it's log to Splunk. I want Splunk to alert me when someone, that is not one of the three users, tries to log in. I want to define which three users are allowed and if anyone besides them tries I will be notified. I do not want failed attempts. Just when it is someone I do not know.

gcusello · ‎02-28-2022

Hi @kbohlken,

what kind of server have you: windows or Linux?

if you are speaking of a windows server, you could run something like this:

index=wineventlog EventCode=4624 User_Name!="*SERVI*" AND User_Name!="SYST*"
| stats count BY Account_name

if you are speaking of a Linux server, you could run something like this:

index=os "accepted password"
| stats count BY user

Ciao.

Giuseppe

How to set up an alert that will show when someone other than those 3 are trying to log in?

fields

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All

Splunk Security Content for Threat Detection & Response, Q1 Roundup