I've been trying to get this to work with my data but can't seem to get it to work. https://answers.splunk.com/answers/230665/how-to-edit-my-search-to-filter-and-only-return-du.html?ut...
here is the query i'm running.
index=windows sourcetype=dhcpsrvlog ... | stats dc(dhcp_mac) as macCount values(dhcp_mac) as mac by dhcp_hostname | search macCount>1
I run that for the past 30 days, during which time I have spoofed mac addresses with 0 results coming up with this search. Am I missing something?
I think I'm close. Just need a little help. here is my current search
index=windows sourcetype=dhcpsrvlog | stats dc(raw_mac) as macCount values(raw_mac) as mac by dest_nt_host| eventstats count by raw_mac | where count = 2
I'm trying to get results for any 2 systems sharing the same mac address.
Thanks again for the help guys.
Ah. I see. No the search is showing with dest_mac and dest_nt_host
Then your query should be
index=windows sourcetype=dhcpsrvlog ... | stats dc(dest_mac) as macCount values(dest_mac) as mac by dest_nt_host| search macCount>1
Now there is a plethora of hosts showing up with slightly different mac addresses. 1340 results . Looks like maybe they have multiple network interfaces? How can I adjust the search to show when another host takes on the mac address of a host? Thus showing when a mac address has been spoofed? Thanks guys.
Hi @shandman,
When you run this query index=windows sourcetype=dhcpsrvlog ...
are you getting dhcp_mac
and dhcp_hostname
in interesting field on left hand side in splunk?
Same question, But make sure you are in Smart or Verbose mode when you check this.