Splunk Search

How to search for users logged in to systems from 2 or more IP addresses simultaneously within a 3 second time frame?

jfeitosa
Path Finder

I am attempting to identify users who are sharing access to systems from 2 or more IPs within a given amount of time of 3s.
How could I search for this?

Thank you very much in advance.

0 Karma

woodcock
Esteemed Legend
0 Karma

hagjos43
Contributor

The query here will do that for you. Assuming of course you are talking about Windows users.

Get a list of Concurrent users on a specific server

0 Karma

jfeitosa
Path Finder

It would not be users of the windows, but some high-platform systems that saves the access events in a text file.
Still I appreciate the attention.

0 Karma

hagjos43
Contributor

Hm, you might be able to modify this section of the query and alter other bits to fit your data:

| bucket span=30m _time | eval Date=strftime(_time, "%Y/%m/%d %H:%M:%S") | rex "New\sLogon:\s*Security\sID:\s+\S*\s+Account\sName:\s+(?<ACCT>\S+)" | stats count by ACCT, _time, host | where count>1 | sort - count

The regex (rex) part will have to change. But a similar query would work. Can you provide a sample of your data? Someone might be able to write the appropriate query for you.

0 Karma

jfeitosa
Path Finder

I did a search like this:

index = * sourcetype=logs_accesso | stats count (USER) AS count by USER, TERMINAL, sys1, sys2, _time | where count> = 1 | _time table, USER, TERMINAL, sys1, SYS2

And returned this:

_time USER TERMINAL Sys1 Sys2
12/15/2015 13:56:26 ABDON DOS SANTOS MAIA A1240A06 S6 AA
12/15/2015 17:19:35 ABDON DOS SANTOS MAIA A1240A23 S6 AA
12/15/2015 19:01:10 ABDON DOS SANTOS MAIA A1240A25 J2 AA
12/15/2015 19:57:44 ABDON DOS SANTOS MAIA B1240A23 H3 A3
12/15/2015 19:58:49 ABDON DOS SANTOS MAIA B1240A23 H3 A3
12/15/2015 20:14:22 ABDON DOS SANTOS MAIA B1240A23 H3 A3
12/15/2015 20:14:53 ABDON DOS SANTOS MAIA B1240A23 H3 A3
12/15/2015 17:00:17 ABDON DOS SANTOS MAIA B1240A23 H3 AE
12/15/2015 17:00:17 ABDON DOS SANTOS MAIA B1240A23 H3 AE
12/15/2015 19:53:38 ABDON DOS SANTOS MAIA B1240A23 H3 AE
12/15/2015 19:53:38 ABDON DOS SANTOS MAIA B1240A23 H3 AE
12/15/2015 19:57:25 ABDON DOS SANTOS MAIA B1240A23 H3 AE
12/15/2015 19:57:57 ABDON DOS SANTOS MAIA B1240A23 H3 AE

But I wanted to collect events in the same User accessed sys1 and / or Sys2 in 3 second intervals in different terminals.

How could this search? Please!
Tks!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...