- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Need help in create a search to detect malicio...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
employee was terminated and we would like to fire an event when we see the user log on to any systems.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello there,
the comment above by @jdhunter is very valid imho,
now it is time to ask yourself, how would i know an employee is terminated?
where can i get this data? many times from HR db, sometimes from ticketing systems as IT closing email account or something. however, relaying on IT (only from my experience) to know who was terminated is not ideal.
now that you have the data, how will you correlate it to login events, windows / nix / vpn / etc ...?
different data will have different field names for user maybe Account_Name or username or other fields name.
first, you will probably want to normalize all the fields so you can capture the most in one single search.
the CIM (Common Information Model) is a great tool to help you accomplish that, read here:
http://docs.splunk.com/Documentation/CIM/4.11.0/User/Overview
otherwise, you can use field aliases for example, read here: https://docs.splunk.com/Documentation/Splunk/7.1.2/Knowledge/Addaliasestofields
second, you would like to have a list, lookup, with names of all terminated employees.
finally, build a search that will look for all user logins and match the usernames to your lookup of terminated personal
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello there,
the comment above by @jdhunter is very valid imho,
now it is time to ask yourself, how would i know an employee is terminated?
where can i get this data? many times from HR db, sometimes from ticketing systems as IT closing email account or something. however, relaying on IT (only from my experience) to know who was terminated is not ideal.
now that you have the data, how will you correlate it to login events, windows / nix / vpn / etc ...?
different data will have different field names for user maybe Account_Name or username or other fields name.
first, you will probably want to normalize all the fields so you can capture the most in one single search.
the CIM (Common Information Model) is a great tool to help you accomplish that, read here:
http://docs.splunk.com/Documentation/CIM/4.11.0/User/Overview
otherwise, you can use field aliases for example, read here: https://docs.splunk.com/Documentation/Splunk/7.1.2/Knowledge/Addaliasestofields
second, you would like to have a list, lookup, with names of all terminated employees.
finally, build a search that will look for all user logins and match the usernames to your lookup of terminated personal
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What type of logs are you bringing into Splunk?
For Windows Security Logs, you would want to look for EventCode 4624 (Successful log on) & EventCode 4625 (failed login) for the user in question. If you don't care about attempts, you can leave out 4625.
If you have VPN solution, you should check those logs as well.
Create your search and then schedule an alert. Trigger on anything greater than 0
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
