Re: Same computer multiple authentication attempts

johann2017 · ‎02-18-2019

Hello. How would I write a search to show a computer that has been authenticating to multiple machines. For example, a hacker is logged into one computer (let's call it computer "A"), and from that same computer he is successfully logging onto multiple machines across the network (computers "B - Z"). How would I return the source computer "A" (or IP address) and the destination machines ("B - Z") that he has been logging into?

This is assuming I don't know what computer the hacker is on. Therefore, I imagine some sort of logon threshold from a single machine would need to be defined in order to identify this type of behavior?

woodcock · ‎02-18-2019

If you are using CIM, like this:

| tstats summariesonly=t count values(dest) AS destCount
FROM datamodel=Authentication 
WHERE index=* AND nodename=Authentication.Successful_Authentication
BY Authentication.src
| where destCount >= 2

johann2017 · ‎02-19-2019

No we aren't using CIM. Seems like it could be useful. It's to help give you some sort of normalization for your data?

woodcock · ‎03-06-2019

Exactly. You definitely should start there and come back here after that and click Accept either on this answer or on your answer after posting what you actually did.

Same computer multiple authentication attempts

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

Index This | What has goals but no motivation?

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Join the Conversation