Oftentimes we are required to determine impossible or improbably access events. Typically, this is a relatively simple thing to do in a modern SIEM, however Splunk, without ESS, does not have a “great” way to handle this type of temporal correlation aside from appends or joins back to the original data. I constructed the following […]
Investigate by MAC, IP all VPN authentications through CISCO_ISE
Helps to investigate authentications through CISCO_ISE device. This identifies who logs in, the MAC address and IP for any use cases
1 2 3 4 5 6 7 |
index=<your cisco index> "<your IP>" |rex field="cisco_av_pair" "mdm-tlv=device-mac=(?<MAC_ID>\w+-\w+-\w+-\w+-\w+-\w+)" |rex field="cisco_av_pair" "mdm-tlv=device-platform=(?<OS>\w+)" |rex field=_raw "(?<IP><IP regex>)" |iplocation IP |stats c sum(Acct_Input_Packets) as Packets_In sum(Acct_Output_Packets) as Packets_Out by _time User_Name Framed_Protocol src_mac City Country Region IP MAC_ID OS Acct_Status_Type |rename _time as Time RequestLatency as LoadTime Acct_Status_Type as Status IP as <your choice> |convert ctime(Time) |fields + Time User_Name MAC_ID OS "SourceIP - DestIP" City Country Region Framed_Protocol Status Packets_Out Packets_In |
Successful Logons to WordPress Admin Area
Ever want more detailed information on authentications to your WordPress Admin Area? This Splunk Query will show detailed information on successful authentications to the wp-admin section of your site:
1 2 3 4 5 |
sourcetype="access_combined" uri="/wp-admin/admin-ajax.php?_fs_blog_admin=*" | iplocation clientip | stats sparkline latest(_time) as Latest_Date count(status) as count values(status) by uri, Country, Region, City, clientip | convert ctime(Latest_Date) | sort - count |
Screenshot: Notes: Please comment if this is successful or unsuccessful for you, I have limited access to WordPress data. That said this worked for me.
Failed Logon Attempts – Windows
The following Splunk query will show a timechart of failed logon attempts per host:
1 2 |
source="WinEventLog:security" EventCode=4625 | timechart span=1h count by host |
The following Splunk query will show a detailed table of failed logon attempts per host and user with 5 minute chunks/blocks of time, as well as show a sparkline (mini timechart) within the table itself.
1 2 3 4 5 6 7 8 |
source="WinEventLog:security" EventCode=4625 | eval Workstation_Name=lower(Workstation_Name) | eval host=lower(host) | eval hammer=_time | bucket span=5m hammer | stats count sparkline by user host, hammer, Workstation_Name | rename hammer as "5 minute blocks" host as "Target Host" Workstation_Name as "Source Host" | convert ctime("5 minute blocks") |
#Admin Notes – This […]
Successful Login to OSX
The following splunk query (with regex) will return a result of users who have successfully authenticated to an OSX machine: *NOTE* Thanks Bob for pointing this out. The regular expression has now been fixed!
1 |
sourcetype=osx_secure | rex “authinternal\sauthenticated\suser\s(?<USER>\S+)” |eval Date=strftime(_time, "%Y/%m/%d") | stats count by USER, host, Date | sort - count |