Multiple Users with Authentications from Singular, non-Whitelisted IP
Basically I needed a way to determine if a series of users are connecting from a singular IP. This is particular useful during COVID-19 WFH constraints.
The search is intended to look at the VPN index for a new session initiation, excluding all RFC1918 traffic as a source.
The search then left-joins any failure attempts for the same sessions; the thought process behind this being that if you have more than one user on more than one session from a single IP, that they very well may be either co-located or, are potentially working from a location they aren’t supposed to (Starbucks, Shared Wifi, etc.)
index=vpn sourcetype=f5:bigip:apm:syslog "New session from client IP" |search (src!=10.0.0.0/8 AND src!=172.16.0.0/12 AND src!=192.168.0.0/16 AND src!=) | eval f5_bigip_host=if(isnull(f5_bigip_host), "<rack/slot/dvc_naming>", f5_bigip_host) | iplocation src_ip | rename Region as region, Country as country | fillnull value="" | stats count by _time session_id src_ip f5_bigip_host f5_bigip_server_host country region datacenter_location external_ip | fields - count | join type=left max=0 session_id [ search index=vpn sourcetype=f5:bigip:apm:syslog "failed" | rex field=_raw "authentication with '(?\S+)'" | eval action="failure" | stats count by _time session_id user action ] | bin span=5m _time | eventstats dc(user) as num_users dc(country) as num_country dc(session_id) as num_sessions by src_ip _time | fillnull value="" | stats count as event_count by _time user region country external_ip src_ip action num_users num_country num_sessions | where user!="" AND action!="" AND (num_users>=3 AND num_sessions>3)
Potential Session Hijack
This search is very similar to the one above, with the exception that it is looking at a slightly different metric. Assume the one above primarily looks for multiple users and sessions from one IP. This particular one detects when one or more user, as an individual, has had more than one successful sessions opened within any 5m time frame.
index=vpn_ sourcetype=f5:bigip:apm:syslog "New session from client IP" | search (src!=10.0.0.0/8 AND src!=172.16.0.0/12 AND src!=192.168.0.0/16 AND src!=<Any excluded source IP>) | eval f5_bigip_host=if(isnull(f5_bigip_host), "<rack/slot/dvc_naming>", f5_bigip_host) | eval user=upper(user) | iplocation src_ip | rename Region as region, Country as country | fillnull value="" | stats count by _time session_id src_ip f5_bigip_host f5_bigip_server_host country region url datacenter_location external_ip | fields - count | join type=left max=0 session_id [ search index=vpn sourcetype=f5:bigip:apm:syslog "Username" | eval f5_bigip_host=if(isnull(f5_bigip_host), "<rack/slot/dvc_naming>", f5_bigip_host) | stats count by _time session_id user f5_bigip_host f5_bigip_server_host url datacenter_location external_ip | fields - count ] | join type=left max=0 session_id [ search index=vpn sourcetype=f5:bigip:apm:syslog "Access policy result:" | fillnull value="" | stats count by _time session_id action logon_type | fields - count ] | join type=outer max=0 session_id, user [ search index=vpn sourcetype=f5:bigip:apm:syslog "failed" | rex field=_raw "authentication with '(?\S+)'" | eval action="failure" | stats count by _time session_id user action ] | eval user=upper(user) | eventstats dc(user) as num_users dc(action) as flag by session_id | eventstats dc(country) as num_country dc(src_ip) as num_connections dc(session_id) as num_sessions by user | bin span=5m _time | fillnull value="" | stats values(country) as country values(src_ip) as src_ip values(region) as region values(f5_bigip_host) as f5_bigip_host values(f5_bigip_server_host) as f5_bigip_server_host values(url) as url values(external_ip) as external_ip count as event_count by _time session_id user action logon_type num_users num_country num_connections flag num_sessions datacenter_location | where user!="" AND action!="" AND (num_users>=2 AND num_connections>1 AND num_sessions>1 AND flag>1) | sort -_time, -session_id, -user, +action
