Splunk Search

Tracking User Activity Across applications without matching sourcetypes or Fields

scc00
Contributor

I am attempting to track user activity from vdi login to the use of a shared account to log into an application. For example, user=Tim logs into his VDI session VDI-XXXX at 9am, then opens up application, sample_app, and logs in as user=admin. How do I bring the two events into one transaction? In this case, assume that we have the application account name only, admin and that the vdi user name can change.

I can track general logons as follows as a catchall:

index="*" user="*"  "*logged*"

I've attempted to use a subsearch to narrow it down to just the application usage and hopefully the vdi session that led to the application logon but those searches come back blank.

Sample searches tried:

index=* user=* "*logged*" [search sourcetype=sample_app user=admin "*logged*" | fields + user, computer, event] | table _time, user, computer, event | sort _time
0 Karma
1 Solution

scc00
Contributor

So I found a better way to complete this query, using a multisearch. See updated query below. It searches for VDI session computer utilizing a inputlookup searching for expected users of the shared account. The second search is just checking for login activity for the shared account along for the application.

|multisearch [search index=* *logged* ComputerName=pci-vdi* [|inputlookup account_users |fields + user] |fields + user,name, ComputerName,Msg,app, EventCode,src_ip] [search sourcetype=application user="sharedaccount" *logged* action=success | fields + user,host, Msg, app] | eval computer= coalesce(ComputerName, host), event=coalesce(name, Msg), Hour=strftime(_time, "%B %d %Y, %I:%M:%S %p"), user=upper(user) | dedup computer event |where computer!=" " | table Hour, user, computer, app,event | sort Hour user

Now I need to figure out how to populate the searches only when search 2 finds a hit. Thoughts?

View solution in original post

scc00
Contributor

So I found a better way to complete this query, using a multisearch. See updated query below. It searches for VDI session computer utilizing a inputlookup searching for expected users of the shared account. The second search is just checking for login activity for the shared account along for the application.

|multisearch [search index=* *logged* ComputerName=pci-vdi* [|inputlookup account_users |fields + user] |fields + user,name, ComputerName,Msg,app, EventCode,src_ip] [search sourcetype=application user="sharedaccount" *logged* action=success | fields + user,host, Msg, app] | eval computer= coalesce(ComputerName, host), event=coalesce(name, Msg), Hour=strftime(_time, "%B %d %Y, %I:%M:%S %p"), user=upper(user) | dedup computer event |where computer!=" " | table Hour, user, computer, app,event | sort Hour user

Now I need to figure out how to populate the searches only when search 2 finds a hit. Thoughts?

puneethgowda
Communicator

Index=internal sourcetyp=* | stats count by clientip,user

0 Karma

scc00
Contributor

Samples events are below:

VDI logon events:
"An account was successfully logged on.

Subject:
  Security ID: NULL SID
  Account Name: -
  Account Domain: -
  Logon ID: 0x0
  Logon Type: 3

Impersonation Level: Impersonation

New Logon:
  Security ID: LB\DEV1$
  Account Name: DEV1$
  Account Domain: LB
  Logon ID: 0x894B5E95
  Logon GUID: {f09e5f81-9f19-5f11-29b8-8750c7c02be3}

Process Information:
  Process ID: 0x0
  Process Name: -"

Application logon sample: (these differ per application) - Use of the root account in linux

"su: pam_unix(su-l session): session opened for user root by (uid-=0)"

For VDI type: VMWare (unsure which version though).

0 Karma

woodcock
Esteemed Legend

Did I reformat your text correctly? You have neglected to show _time which is really the key here. How close together are these events in time (or should I say "at worst, how far apart are the matching events from eachother in tme")? And is it always 1-to-1 for pairing?

0 Karma

Richfez
SplunkTrust
SplunkTrust

In addition to showing some sample events, it might also be useful to know which VDI system you are using in case there's some additional or different logs you can enable that will tell you this information directly.

0 Karma

woodcock
Esteemed Legend

You are going to have to show some sample events.

0 Karma

scc00
Contributor

Samples events are below:

VDI logon events:
"An account was successfully logged on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3

Impersonation Level: Impersonation

New Logon:
Security ID: LB\DEV1$
Account Name: DEV1$
Account Domain: LB
Logon ID: 0x894B5E95
Logon GUID: {f09e5f81-9f19-5f11-29b8-8750c7c02be3}

Process Information:
Process ID: 0x0
Process Name: -"

Application logon sample: (these differ per application) - Use of the root account in linux
"su: pam_unix(su-l session): session opened for user root by (uid-=0)"

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...