You might want to find all users who have attempted to access a particular endpoint when doing the following:
- Detecting techniques in the Orangeworm attack group
- Monitoring Windows account access
- Monitoring for signs of Windows privilege escalation attacks
Content developed by the Splunk Security Research team requires the use of consistent, normalized data provided by the Common Information Model (CIM). This search requires the Authentication data model. For information on installing and using the CIM, see the Common Information Model documentation.
Part of your role as a security analyst at a large organization is to monitor your network for users who access systems they don't need for their jobs. You need to set up a search to accomplish this task.
To optimize the search shown below, you should specify an index and a time range.
- Ensure that your deployment is ingesting authentication logs from your various systems and populating the Authentication data model.
- Run the following search:
|tstats count FROM datamodel=Authentication WHERE Authentication.dest=<dest> BY _time, Authentication.dest, Authentication.user, Authentication.app, Authentication.action rename "Authentication.*" as "*"
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
||tstats count FROM datamodel=Authentication WHERE Authentication.dest=<dest> BY _time, Authentication.dest, Authentication.user, Authentication.app, Authentication.action||Query the Authentication data model for information related to an authentication to the destination specified in the <dest> field.|
|rename "Authentication.*" as "*"||
Rename the data model object for better readability.
The results show the time, user, application, and action related to authentication to a specific destination. You can investigate users who you believe should not have authenticated to that particular endpoint.