Same computer multiple authentication attempts

johann2017 · ‎02-18-2019

Hello. How would I write a search to show a computer that has been authenticating to multiple machines. For example, a hacker is logged into one computer (let's call it computer "A"), and from that same computer he is successfully logging onto multiple machines across the network (computers "B - Z"). How would I return the source computer "A" (or IP address) and the destination machines ("B - Z") that he has been logging into?

This is assuming I don't know what computer the hacker is on. Therefore, I imagine some sort of logon threshold from a single machine would need to be defined in order to identify this type of behavior?

woodcock · ‎02-18-2019

If you are using CIM, like this:

| tstats summariesonly=t count values(dest) AS destCount
FROM datamodel=Authentication 
WHERE index=* AND nodename=Authentication.Successful_Authentication
BY Authentication.src
| where destCount >= 2

johann2017 · ‎02-19-2019

No we aren't using CIM. Seems like it could be useful. It's to help give you some sort of normalization for your data?

woodcock · ‎03-06-2019

Exactly. You definitely should start there and come back here after that and click Accept either on this answer or on your answer after posting what you actually did.

Same computer multiple authentication attempts

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio