Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About Dustem
Dustem
Explorer
Member since:
09-06-2023
11-13-2023
Community Statistics
| Posts | 16 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 1 |
| Member Since | 09-06-2023 |
Activity Feed
- Posted Re: Using stolen or forged tickets (TGT) on Splunk Search. 10-30-2023 08:18 PM
- Posted Re: Using stolen or forged tickets (TGT) on Splunk Search. 10-26-2023 03:40 AM
- Posted Re: Using stolen or forged tickets (TGT) on Splunk Search. 10-23-2023 11:12 PM
- Posted Re: Using stolen or forged tickets (TGT) on Splunk Search. 10-21-2023 08:26 PM
- Got Karma for Re: Using stolen or forged tickets (TGT). 10-17-2023 06:31 AM
- Posted Re: Using stolen or forged tickets (TGT) on Splunk Search. 10-17-2023 06:30 AM
- Posted Re: Using stolen or forged tickets (TGT) on Splunk Search. 10-16-2023 06:52 PM
- Posted Using stolen or forged tickets (TGT) on Splunk Search. 10-16-2023 05:39 AM
- Tagged Using stolen or forged tickets (TGT) on Splunk Search. 10-16-2023 05:39 AM
- Posted Re: Scan Behavior on Splunk Search. 09-19-2023 07:31 PM
- Posted Re: Scan Behavior on Splunk Search. 09-11-2023 07:00 AM
- Posted Re: Scan Behavior on Splunk Search. 09-11-2023 06:46 AM
- Posted Scan Behavior: How to query the trigger for the same period for three consecutive days? on Splunk Search. 09-11-2023 04:33 AM
- Tagged Scan Behavior: How to query the trigger for the same period for three consecutive days? on Splunk Search. 09-11-2023 04:33 AM
- Posted Re: Using stolen or forged user tickets (TGT) on Splunk Search. 09-07-2023 08:43 PM
- Posted Re: Using stolen or forged user tickets (TGT) on Splunk Search. 09-07-2023 08:09 PM
- Posted Re: Using stolen or forged user tickets (TGT) on Splunk Search. 09-06-2023 06:51 AM
- Posted Using stolen or forged user tickets (TGT) on Splunk Search. 09-06-2023 04:47 AM
- Posted Slow scanning on Splunk Search. 09-06-2023 04:44 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
10-30-2023
08:18 PM
We refer to the golden ticket attack, according to the Kerberos mechanism, a prerequisite for a service ticket request is a user ticket request (or renewal of an existing ticket). When this is not the case and we do not see a corresponding prior login event, the user ticket is suspected to be forged or stolen from another machine. So the logic of the detection is that one of the following corresponding events does not occur before the service ticket request (Eventcode=4769): 1. user ticket (TGT) request (Eventcode=4768). 2. ticket renewal request (Eventcode=4770). 3. Login event (Eventcode=4624).
... View more
10-26-2023
03:40 AM
hi yuanliu, Do you have any updates? We need filter out events where a user has only Eventcode=4776 over a while, and exclude events where 4770 or 4768, or 4624 precede 4776, because we think that this situation is reasonable and that only the presence of 4776 alone is illegal.
... View more
10-23-2023
11:12 PM
The query needs to be in an intranet environment, so I can't provide it. I can describe the query result, the results I get from the query based on SPL are only events about 4769, but I again make a new query with the user field as a keyword in the query results, and I will find that there are three other Eventcode records for this user within 24 hours. So I require that I want the query result to be a user who has only events about 4769 and not three other Eventcodes within 24 hours.
... View more
10-21-2023
08:26 PM
In this case, how do i continue filter out the events that precede the appearance of 4769 without the other three Eventcodes?
... View more
10-17-2023
06:30 AM
1 Karma
I'm used the SPL you provided but didn't solve it. So I adjusted the SPL, filtered out the same user in a period events, and then filter out Eventcode only 4769 case.
index="xx"
| transaction user maxspan=24h maxpause=10h connected=false
| search NOT Eventcode IN (4768,4770,4624) AND Eventcode=4769
... View more
10-16-2023
06:52 PM
I want to query the same user only 4769 events in 24h without the other three eventcode (4768, 4770, 4624) events, the SPL doesn't fulfill this requirement.
... View more
10-16-2023
05:39 AM
Hi guys, I want to detect a service ticket (TGS) request (Windows event code 4769) that is not preceded by one of the following corresponding events:
1. User ticket (TGT) request, Windows event code 4768.
2. Ticket renewal request, Windows event code 4770.
3. Logon event, Windows event code 4624.
The following is the SPL I wrote, but I found that there is a problem, could you help me to modify it?
index="xx"
| transaction user maxspan=24h maxpause=10h startwith=("Eventcode=4768", "Eventcode=4770", "Eventcode=4624") endswit="Eventcode=4769" keepevicted=true
| search Eventcode=4769 NOT (Eventcode=4768 OR Eventcode=4770 OR Eventcode=4624)
... View more
- Tags:
- spl
Labels
- Labels:
-
stats
09-19-2023
07:31 PM
Hello gcusello, Sorry, I forgot to reply. I rewrote SPL myself to complete the requirements, thanks for your help.
... View more
09-11-2023
06:46 AM
Hi gcusello, How do I set it to trigger at the same time in three days?
... View more
09-11-2023
04:33 AM
hi guys, I want to detect that more than 10 different ports of the same host are sniffed and scanned every 15 minutes and triggered 5 times in a row, then the alarm; If the same time period is triggered for three consecutive days, the alarm is triggered. The current SPL:
index="xx"
| bin _time span=15m
| stats dc(dest_port) as dc_ports by _time src_ip dest_ip
| where dc_ports > 10 | streamstats count as consecutive_triggers by src_ip dest_ip reset_on_change=Ture
| where consecutive_triggers>=5
Next, I don't know how to query the trigger for the same period for three consecutive days.
... View more
- Tags:
- spl
- splunk search
Labels
- Labels:
-
stats
09-07-2023
08:43 PM
Not during this period, but the user did not have 4768 or 4770 events prior to this period.
... View more
09-07-2023
08:09 PM
I want to search for a user with 4769 events over a continuous period, but the user has no 4768 or 4770 events during that time, instead of 4769 and no 4768 or 4770 users.
... View more
09-06-2023
06:51 AM
Hi gcusello, My description may not be accurate. I want to detect eventcode=4769 and then detect whether the user of this event(eventcode=4769) has eventcode=4768 or eventcode=4770 before it.
... View more
09-06-2023
04:47 AM
hi guys, I want to detect a service ticket request (Windows event code 4769) and one of the following corresponding events does not appear before the service ticket request: 1. User Ticket (TGT) request, Windows event code 4768. 2. Ticket renewal request, Windows event code 4770.
... View more
09-06-2023
04:44 AM
hi guys, I want to detect that more than 10 different ports of the same host are sniffed and scanned every 15 minutes and triggered 5 times in a row, then the alarm; If the same time period is triggered for three consecutive days, the alarm is triggered.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
11-13-2023
11:02 PM
|
