Splunk Search

Searching authentication attempts

Yhwhison3
Loves-to-Learn Lots

Hello, I'm currently doing some training as part of a SOC analyst intern position. One of the questions in the little exercise our trainer created for us is this (some information has been omitted purposely in respect to the organization): How many of each user category authentication attempt exist for all successful authentications?  

 

Would someone be able to assist me with a general start for how I  would write up my search to look for this kind of info?

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

The question is indeed a bit vaguely worded.

But in general, you would first want to search only for authentication attempts (hard to say how since we don't know what data you have). It would be best if you had data normalized to CIM, then you could just seafch from the data model.

Then you just do stats over your desired splitting fields.

That should do the trick.

0 Karma

marnall
Motivator

The question could be worded better. You could ask your instructor if they want you to "estimate how many users, in each user category, have performed a successful authentication."

If that is the question being asked, then you could filter to only successful authentications and then use the statistics commands in Splunk to produce a table counting how many different users in each category have successfully authenticated.

0 Karma
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...