Skip to main content
Splunk Lantern

Authentication logs for an endpoint

You might want to find all users who have attempted to access a particular endpoint when doing the following:

Prerequisites 

Content developed by the Splunk Security Research team requires the use of consistent, normalized data provided by the Common Information Model (CIM). This search requires the Authentication data model. For information on installing and using the CIM, see the Common Information Model documentation.

Example

Part of your role as a security analyst at a large organization is to monitor your network for users who access systems they don't need for their jobs. You need to set up a search to accomplish this task.

To optimize the search shown below, you should specify an index and a time range.

  1. Ensure that your deployment is ingesting authentication logs from your various systems and populating the Authentication data model.
  2. Run the following search: 
|tstats count FROM datamodel=Authentication WHERE Authentication.dest=<dest> BY _time, Authentication.dest, Authentication.user, Authentication.app, Authentication.action 
rename "Authentication.*" as "*"

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
|tstats count FROM datamodel=Authentication WHERE Authentication.dest=<dest> BY _time, Authentication.dest, Authentication.user, Authentication.app, Authentication.action  Query the Authentication data model for information related to an authentication to the destination specified in the <dest> field.
rename "Authentication.*" as "*"

Rename the data model object for better readability.

Result

The results show the time, user, application, and action related to authentication to a specific destination. You can investigate users who you believe should not have authenticated to that particular endpoint. 

  • Was this article helpful?