Re: Search to find unauthorized host(s) last login...

cjsweeney1 · ‎03-22-2017

Hi looking for a search to find any unauthorized systems that are sitting on a network and the last login date.

richgalloway · ‎03-22-2017

To find unauthorized systems you'll first need a list of the authorized systems, perhaps in a lookup file. Then search to find ALL systems on your network and compare that list to the authorized list. The difference is the unauthorized systems.

---
If this reply helps you, Karma would be appreciated.

cjsweeney1 · ‎03-22-2017

Hey Rich,

You know a search string to find a particular hosts last ip "pull" is... I'm wondering if the last time it had a DHCP timestamp assigned is all I will be able to get.

richgalloway · ‎03-22-2017

I don't know that.

---
If this reply helps you, Karma would be appreciated.

cjsweeney1 · ‎03-22-2017

Hmmm.... could work. Could that lookup file be automatically updated? I was hoping enterprise security would have a report like this built-in.

richgalloway · ‎03-22-2017

Yes, it's possible to automatically update the lookup file.

---
If this reply helps you, Karma would be appreciated.

Search to find unauthorized host(s) last login date

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes