Splunk Search

How to search and trigger an alert email to a user if their account has successful logons from 10 different computers in the last hour?

turanascioglu
New Member

Hi,

I'm new to Splunk and we would like to buy the enterprise version. Currently I'm testing and now I stumbled upon a problem.
Here's the scenario: we have a large Wifi network in which authenticate through 802.1x with windows Radius (NPS) server.

The events that are generated are processed by Splunk.

What I would like to detect is the following:

In the event that a student-login is used to log on from 10 different computers in the last hour, it should be detected.

The following search gives me all the successful logons for user 20002706:

Account_Name="*20002706*" Message="Network Policy Server granted*"

I also would like to be able to send an email to the specified user (account name is also an email-alias).

Can you help me out?

Kind regards

Turan

Tags (3)
0 Karma

turanascioglu
New Member

Hi Mus,

Here is the event I'm using as the source:

20150204143519.000000
Category=12552
CategoryString=Network Policy Server
EventCode=6272
EventIdentifier=6272
EventType=4
Logfile=Security
RecordNumber=629004658
SourceName=Microsoft-Windows-Security-Auditing
TimeGenerated=20150204133519.453956-000
TimeWritten=20150204133519.453956-000
Type=Audit Success
User=NULL
ComputerName=PXLDC1.PXL.LOCAL
wmi_type=WinEventLog:Security
Message=Network Policy Server granted access to a user.
User:
Security ID: S-1-5-21-919585450-3989951782-4046941352-2185
Account Name: *
*@student.pxl.be
Account Domain: PXLSTUD
Fully Qualified Account Name: STUD.PXL.LOCAL/Studenten/
****
Client Machine:
Security ID: S-1-0-0
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: ****
Calling Station Identifier: ******
NAS:
NAS IPv4 Address: 192.168.251.240
NAS IPv6 Address: -
NAS Identifier: 192.168.251.240
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 0
RADIUS Client:
Client Friendly Name: controller240
Client IP Address: 192.168.251.240
Authentication Details:
Connection Request Policy Name: 802.1X and Captive Portal
Network Policy Name: 802.1X and Captive Portal Student Wireless
Authentication Provider: Windows
Authentication Server: PXLDC1.PXL.LOCAL
Authentication Type: PEAP
EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
Account Session Identifier: -
Logging Results: Accounting information was written to the SQL data store and the local log file.
Quarantine Information:
Result: Full Access
Session Identifier:*

0 Karma

ppablo
Retired

Hi @turanascioglu

Please be sure that when responding to someone's answer, click on "Add comment" directly below their answer or, if responding to someone's comment, type in the "Add your comment..." box directly below their comment. You've been typing your responses in the "Enter your answer here..." box at the very bottom of the page which, instead, posts a brand new answer when it was really meant as a comment. This will help with a clean continuous flow of the conversation.

This current "answer" can no longer be converted to a comment since it is beyond the character limit. If you have a long response and are hitting a character limit when leaving a comment, just break it up into multiple comments. Just something to keep in mind from here on out. Thanks.

0 Karma

Ayn
Legend

Assuming you have a field that contains the hostname, IP or some other host identifier and a field that contains the username (let's call these field "src" and "user" respectively in this example):

Account_Name="20002706" Message="Network Policy Server granted*" earliest=-1h | stats dc(src) as srcnum by user | search srcnum>=10

As for the email part, this could work if you setup a lookup of some sort that maps the username to an email address. To my knowledge the internal sendemail command doesn't support reading mail addresses dynamically like that though, so you'd have to find a workaround for that.

turanascioglu
New Member

Hi Ayn,

Thank you for the response.

Now as a result I'm seeing the usernames and the field stating the number of different machines.
but is it also possible to see a field with the hosts, concatenated into one field?

Something like this:

user-x host19;host56;host41;host76
user-y host65;host47;host27;host98

We would like to send an automatic e-mail to the user, incuded in the body text, the station on which his account is detected.

Kind regards

turan

0 Karma

Ayn
Legend

Sure,

do something like this:

Account_Name="20002706" Message="Network Policy Server granted*" earliest=-1h | stats dc(src) as srcnum, values(src) as srcnames by user | search srcnum>=10 | eval srcnames=mvjoin(srcnames,";")
0 Karma

MuS
SplunkTrust
SplunkTrust

HeHe, pretty close to my answer 😉

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi y turanascioglu,

without knowing the real events, it is like asking a glass ball 🙂 But nevertheless you can try something like this:

Account_Name="*20002706*" Message="Network Policy Server granted*" | stats  values(Account_Name) AS myTo dc(host) AS host_count by Account_Name | where host_count>=10 | eval myList=mvjoin(myTo, ", ")  | sendemail to=myList .....

This is based on the assumption that there is a field called host representing your Computers. Adapt it to your needs.

Hope this helps to get you started ...

cheers, MuS

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...