Splunk Search

Same computer multiple authentication attempts

johann2017
Explorer

Hello. How would I write a search to show a computer that has been authenticating to multiple machines. For example, a hacker is logged into one computer (let's call it computer "A"), and from that same computer he is successfully logging onto multiple machines across the network (computers "B - Z"). How would I return the source computer "A" (or IP address) and the destination machines ("B - Z") that he has been logging into?

This is assuming I don't know what computer the hacker is on. Therefore, I imagine some sort of logon threshold from a single machine would need to be defined in order to identify this type of behavior?

Tags (1)
0 Karma

woodcock
Esteemed Legend

If you are using CIM, like this:

| tstats summariesonly=t count values(dest) AS destCount
FROM datamodel=Authentication 
WHERE index=* AND nodename=Authentication.Successful_Authentication
BY Authentication.src
| where destCount >= 2
0 Karma

johann2017
Explorer

No we aren't using CIM. Seems like it could be useful. It's to help give you some sort of normalization for your data?

0 Karma

woodcock
Esteemed Legend

Exactly. You definitely should start there and come back here after that and click Accept either on this answer or on your answer after posting what you actually did.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...