Splunk Enterprise Security

I need to find a way to search for users that are logged into more than one hosts to entirely different hosts

brian1_tate
Path Finder

This search doesn't really give me what an need nor does the ES-TA. I need to figure out how I can determine if a single user is or has logged into more that one host from totally different devices over the day. I have some ideas but this seems slightly storage to write a search. Here's what I have
I managed to create the report using this search

index="oswinsec" (EventCode=540 OR EventCode=4624) NOT (user=*$ OR user="ANONYMOUS LOGON" OR user=SYSTEM OR user=services OR user=Unknown)
| stats dc(src_ip) as Number_logged_hosts, values(src_ip) as "Logins IPs, values(dvc) as "Domains Controller", count by user
| rename user as Users, count as Total_time_logged_in
| where Number_logged_hosts>1
| sort -Number_logged_hosts Users

Will something like this work for the single condition and how would I modify it to if the user is also logged in PTO one or more devices using the same user name?

Thx

0 Karma

somesoni2
SplunkTrust
SplunkTrust

How about this
updated typos

index="oswinsec" (EventCode=540 OR EventCode=4624) NOT (user=*$ OR user="ANONYMOUS LOGON" OR user=SYSTEM OR user=services OR user=Unknown) | bucket span=1d _time
| stats dc(src_ip) as Number_logged_hosts, values(src_ip) as "Logins IPs" , values(dvc) as "Domains Controller", count as Total_time_logged_in by _time user | where Number_logged_hosts>1
| rename user as Users, count as  
| sort -Number_logged_hosts Users
0 Karma

brian1_tate
Path Finder

Well, that's a start somesoni2 - Thank you. Aside from where I am getting unbalanced quotes (Logins IP's) I believe

I then am thrown the following
Error in 'stats' command: The argument 'Total_time_logged_in' is invalid.

Anyone else have thoughts on this?

0 Karma

brian1_tate
Path Finder

@somesoni2 I forgot to say a big thanks!~

0 Karma

brian1_tate
Path Finder

Well this search will execute however I'm baffled why it believes the above argument is invalid

index=oswinsec (EventCode=540 OR EventCode=4624) NOT (user=*$ OR user="ANONYMOUS LOGON" OR user=SYSTEM OR user=services OR user=Unknown)
| stats dc(src_ip) as Number_logged_hosts, values(src_ip) as "Logins IPs", values(dvc) as "Domain Controller", count by user
| rename user as Users
| where Number_logged_hosts>1
| sort -Number_logged_hosts Users

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Fixed the typos. Give it a try again.

0 Karma

brian1_tate
Path Finder

Hmm same message - Error in 'stats' command: The argument 'Total_time_logged_in' is invalid.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...