Hello, I'm currently doing some training as part of a SOC analyst intern position. One of the questions in the little exercise our trainer created for us is this (some information has been omitted purposely in respect to the organization): How many of each user category authentication attempt exist for all successful authentications?
Would someone be able to assist me with a general start for how I would write up my search to look for this kind of info?
The question is indeed a bit vaguely worded.
But in general, you would first want to search only for authentication attempts (hard to say how since we don't know what data you have). It would be best if you had data normalized to CIM, then you could just seafch from the data model.
Then you just do stats over your desired splitting fields.
That should do the trick.
The question could be worded better. You could ask your instructor if they want you to "estimate how many users, in each user category, have performed a successful authentication."
If that is the question being asked, then you could filter to only successful authentications and then use the statistics commands in Splunk to produce a table counting how many different users in each category have successfully authenticated.