Activity Feed
- Posted SQS-Based-S3 Input for Cloudtrail black list events on Getting Data In. 06-06-2023 10:50 AM
- Posted Concurrent logons from different workstations on Splunk Search. 03-02-2021 09:51 AM
- Posted Re: Concurrent Logins on multiple Linux servers on Splunk Search. 01-12-2021 11:17 AM
- Posted Re: Concurrent Logins on multiple Linux servers on Splunk Search. 01-12-2021 10:19 AM
- Karma Re: Concurrent Logins on multiple Linux servers for scelikok. 01-12-2021 10:18 AM
- Karma Re: Failed Logon attempt Correlation for richgalloway. 01-12-2021 09:17 AM
- Posted Re: Concurrent Logins on multiple Linux servers on Splunk Search. 01-12-2021 09:06 AM
- Tagged Re: Concurrent Logins on multiple Linux servers on Splunk Search. 01-12-2021 09:06 AM
- Posted Concurrent Logins on multiple Linux servers on Splunk Search. 01-11-2021 11:44 AM
- Posted Re: Failed Logon attempt Correlation on Splunk Search. 01-11-2021 10:51 AM
- Posted Re: Failed Logon attempt Correlation on Splunk Search. 01-11-2021 09:33 AM
- Posted Re: Failed Logon attempt Correlation on Splunk Search. 01-05-2021 11:38 AM
- Posted Re: Failed Logon attempt Correlation on Splunk Search. 01-05-2021 08:37 AM
- Posted Failed Logon attempt Correlation on Splunk Search. 01-05-2021 07:10 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
06-06-2023
10:50 AM
I'm currently using SQS Based s3 input for cloudtrail and I'm trying to drop nosey events such as GET and LIST. The documentation says the standard input supports exclude_describe_events and blacklist to filter out unwanted events which I set but after further looking into it it seems that a props/transform is needed. I have configured the following in props and transforms props.conf
[aws:cloudtrail]
TRANSFORMS-filter = eventsDrop
transforms.conf
#Filters out events that are not needed
[eventsDrop]
REGEX = "^Describe|Get|List\p{Lu}|LookupEvents"
DEST_KEY = queue
FORMAT = nullQueue I tested the regex and it matches events but the events are not being dropped as expected. This is on a HF as that collects the logs before going into indexers
... View more
Labels
- Labels:
-
blacklist
-
props.conf
-
transforms.conf
03-02-2021
09:51 AM
I have a requirement to see which users have logged into multiple servers before logging out of the previous server. I currently have this Search Set up: index="fed-prod" L_Action="New session"
| stats values(L_Server) as Linux_Server dc(L_Server) as host_count by L_user
|where host_count > 1 This search finds all the users who have logged to multiple servers but does tell me if they have logged out of the other server first or allow me to narrow the time down to within a certain window. I currently do not have a active feed into splunk and upload data manually do to licensing restrictions The report would need to be ran weekly. I would like to do this one of two ways. First option would be add in a time premaster to the current above search that checks the time stamp of the log for it to be within a 15 minute window if the user logged into two. If the time stamps of the two logs are within 15 minutes it out puts a finding of the User and servers it logged into. The second option would be to to do some sort of sub search. that would check to see which users logged in to what servers. then check to see if they logged out before logging into another one.
... View more
Labels
- Labels:
-
stats
01-12-2021
11:17 AM
@scelikok Question for you, This helps me find users who have logged into multiple systems within the last 30 minutes index="Wawf" L_Action="New session" earliest=-30min latest=now
| stats values(L_Server) as Linux_Server dc(L_Server) as host_count by L_user
|where host_count > 1 How can I expand on this to track to see if the User logged off before logging into another system? Would that be a completely different search? If user logs into server1 then logs into sever2 : this is a finding. If user logs into server1, logs off, then logs into server2 : this is not a finding
... View more
01-12-2021
10:19 AM
@scelikok Thanks for the Help
... View more
01-12-2021
09:06 AM
@scelikok I tried the Search you suggested it seems like it is having an issue with this line of code |where host_count>1 When I run the following Command I get index="Wawf" L_Action="New session" earliest=-30min latest=now
| stats values(L_Server) as Linux_Server dc(Linux_Server) as host_count by L_user I get a list of users who have logged into multiple servers and single servers during that time frame but host_count does not go above 0. Any idea why that may be?
... View more
- Tags:
- hello
01-11-2021
11:44 AM
Hello I am trying to find users who have logged into more than one system within the last 30 minutes. I want to return a list of users who have logged into more than one system during that time frame. The Stats function of the search does not seem to pull any results after finding all the login sessions after looking at job inspection. The stats function is suppose to find distinct users where hosts is greater than 1. index ="Wawf" L_Action="New session" earliest=-30min latest=now
|stats dc(L_User) as users dc(Linux_Server) as hosts by L_User,Linux_Server
|where hosts>1 | table L_User, Linux_Server
... View more
01-11-2021
10:51 AM
The Inner search I renamed the Field ephemeral_Port to Port. When I break down the Searches into the following: index="wawf-prod" (Failed password AND Linux_Server="wawfprodftpd37")
|rename ephemeral_Port as Port
|return 1000 Port This Returns the list of Ports as shown in the above screen shot I sent. When I run the Code below with a hard coded value for the PA_natSourcePort = 20961 It returns a match. the port number 20961 is one of the values returned from the first search that I hard coded to see if It was a values issue. Which some of the values hard code match and some do not. index="palo-test" PA_natDestinationIP=10.63.16.103 AND PA_natSourcePort = 20961 So Something is happening in the PA_natSourcePort = port when the two searches are combined with a sub search. Any ideas why that is? index="palo-test" ( PA_natDestinationIP=10.63.16.103 AND PA_natSourcePort = Port)
[ search index="wawf-prod" (Failed password AND Linux_Server="wawfprodftpd37")
|rename ephemeral_Port as Port
|return 1000 Port ]
| stats count by PA_SourceAddress |sort by count desc | table PA_SourceAddress, Port, PA_natSourcePort, count
... View more
01-11-2021
09:33 AM
I am still having issues with this. The sub search returns the following: When I run the full search together I get nothing, When I just run the outer search with hard coded values I get a match. When I do Empherical_Port = 20961 which is in the port values list about 200 values into the list. When the searches are combined I get nothing, when I do the inner search then hard code the values into the outer search. Some get hits some do not. Is it not running through the whole return list? index="palo" ( natDestinationIP=10.63.16.103 AND Empherical_Port=natSource_Port )
index="palo" ( natDestinationIP = 10.63.16.103 AND natSourcePort =20961 )
... View more
01-05-2021
11:38 AM
When I ran the sub Search on it's own I got a values like (ephemerical_Port="63450") I added a $ to the fieldname and it dropped the Empherical_Port and updated the results to and example like (63450) I think the problem now is it is trying to look through and match up Empherical_Port=natSource_Port (63450) = 63450 which would show as not a match. index="palo" ( natDestinationIP=10.63.16.103 AND Empherical_Port=natSource_Port )
[ search index="wawf" (Failed password AND Linux_Server="server1")
| return 1000 $empherical_Port ]
| stats count by PA_SourceAddress
| sort by count desc
| Table SourceAddress, Empherical_Port, NatSource_Port
... View more
01-05-2021
08:37 AM
So I have my two searches, The inner search finds the failed password attempts for a particular server ( I tested it and it works) I need this to return a list of all the Port numbers used for the failed logon attempts . The return portion does not seem to work The outer search will seach for Server IP(DestionationIP) and take the list of port numbers returned from the first search and match it with the nat port number. I am having trouble with the return portion of the search s well as with the out search. I am not sure if the return function is not returning the list so it can not match up port numbers. index="palo" ( natDestinationIP=10.63.16.103 AND Empherical_Port=natSource_Port ) [ search index="wawf" (Failed password AND Linux_Server="server1") | return empherical_Port ] | stats count by PA_SourceAddress |sort by count desc | Table SourceAddress, Empherical_Port, NatSource_Port
... View more
01-05-2021
07:10 AM
Hello, Our environment has this linux server that continually get's hit with Brute force attacks. I am trying to figure out where they are coming from. Since our servers are behind a nated firewall I need to be able to see the failed logon attempts and match the server IP , port number to the DestinationIP and natSourcePort I am trying to use sub search. I have one search that searches all of our indexes for failed passwords from server IP and I want it to return the portnumber Then do a second search that matches the IP and Port numbers. of the first search and return the top Source addresses Here is what I have so far. Any help would be apricated index="palo" ( PA_natDestinationIP=Server IP ANDPortNumber=PA_natSource_Port ) [ search index= "*" Failed password IP = ServerIP | return PortNumber ] | stats count by PA_SourceAddress |sort by count desc
... View more
