I am attempting to identify users who are sharing access to systems from 2 or more IPs within a given amount of time of 3s.
How could I search for this?
Thank you very much in advance.
You can use the approach from this Q&A to do this:
https://answers.splunk.com/answers/232781/find-all-events-of-type-x-that-do-not-have-an-even.html
The query here will do that for you. Assuming of course you are talking about Windows users.
It would not be users of the windows, but some high-platform systems that saves the access events in a text file.
Still I appreciate the attention.
Hm, you might be able to modify this section of the query and alter other bits to fit your data:
| bucket span=30m _time | eval Date=strftime(_time, "%Y/%m/%d %H:%M:%S") | rex "New\sLogon:\s*Security\sID:\s+\S*\s+Account\sName:\s+(?<ACCT>\S+)" | stats count by ACCT, _time, host | where count>1 | sort - count
The regex (rex) part will have to change. But a similar query would work. Can you provide a sample of your data? Someone might be able to write the appropriate query for you.
I did a search like this:
index = * sourcetype=logs_accesso | stats count (USER) AS count by USER, TERMINAL, sys1, sys2, _time | where count> = 1 | _time table, USER, TERMINAL, sys1, SYS2
And returned this:
_time USER TERMINAL Sys1 Sys2
12/15/2015 13:56:26 ABDON DOS SANTOS MAIA A1240A06 S6 AA
12/15/2015 17:19:35 ABDON DOS SANTOS MAIA A1240A23 S6 AA
12/15/2015 19:01:10 ABDON DOS SANTOS MAIA A1240A25 J2 AA
12/15/2015 19:57:44 ABDON DOS SANTOS MAIA B1240A23 H3 A3
12/15/2015 19:58:49 ABDON DOS SANTOS MAIA B1240A23 H3 A3
12/15/2015 20:14:22 ABDON DOS SANTOS MAIA B1240A23 H3 A3
12/15/2015 20:14:53 ABDON DOS SANTOS MAIA B1240A23 H3 A3
12/15/2015 17:00:17 ABDON DOS SANTOS MAIA B1240A23 H3 AE
12/15/2015 17:00:17 ABDON DOS SANTOS MAIA B1240A23 H3 AE
12/15/2015 19:53:38 ABDON DOS SANTOS MAIA B1240A23 H3 AE
12/15/2015 19:53:38 ABDON DOS SANTOS MAIA B1240A23 H3 AE
12/15/2015 19:57:25 ABDON DOS SANTOS MAIA B1240A23 H3 AE
12/15/2015 19:57:57 ABDON DOS SANTOS MAIA B1240A23 H3 AE
But I wanted to collect events in the same User accessed sys1 and / or Sys2 in 3 second intervals in different terminals.
How could this search? Please!
Tks!