Skip to main content
Splunk Lantern

Authentication logs for an endpoint

Part of your role as a security analyst at a large organization is to monitor your network for users who access systems they don't need for their jobs. You need to set up a search to accomplish this task.

Data required 

Windows event logs

Procedure

  1. To complete this process, you should ensure you are ingesting normalized data, populating the Authentication data model in the Common Information Model (CIM). For information on installing and using the CIM, see the Common Information Model documentation.
  2. Run the following search. You can optimize it by specifying an index and adjusting the time range.
|tstats count FROM datamodel=Authentication WHERE Authentication.dest=<dest ip> BY _time, Authentication.dest, Authentication.user, Authentication.app, Authentication.action 
rename "Authentication.*" as "*"

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
|tstats count FROM datamodel=Authentication WHERE Authentication.dest=<dest ip> BY _time, Authentication.dest, Authentication.user, Authentication.app, Authentication.action  Query the Authentication data model for information related to an authentication to the destination specified in the <dest ip> field.
rename "Authentication.*" as "*"

Rename the data model object for better readability.

Next steps

The results show the time, user, application, and action related to authentication to a specific destination. You can investigate users who you believe should not have authenticated to that particular endpoint. 

Finally, you might be interested in other processes associated with the following use cases: