Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Same computer multiple authentication attempts

johann2017
Explorer
‎02-18-2019 08:09 PM

Hello. How would I write a search to show a computer that has been authenticating to multiple machines. For example, a hacker is logged into one computer (let's call it computer "A"), and from that same computer he is successfully logging onto multiple machines across the network (computers "B - Z"). How would I return the source computer "A" (or IP address) and the destination machines ("B - Z") that he has been logging into?

This is assuming I don't know what computer the hacker is on. Therefore, I imagine some sort of logon threshold from a single machine would need to be defined in order to identify this type of behavior?

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎02-18-2019 08:51 PM

If you are using CIM, like this:

| tstats summariesonly=t count values(dest) AS destCount
FROM datamodel=Authentication 
WHERE index=* AND nodename=Authentication.Successful_Authentication
BY Authentication.src
| where destCount >= 2
0 Karma
Reply

johann2017
Explorer
‎02-19-2019 03:10 PM

No we aren't using CIM. Seems like it could be useful. It's to help give you some sort of normalization for your data?

0 Karma
Reply

woodcock
Esteemed Legend
‎03-06-2019 01:03 AM

Exactly. You definitely should start there and come back here after that and click Accept either on this answer or on your answer after posting what you actually did.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...