Search to find unauthorized host(s) last login dat...

cjsweeney1 · ‎03-22-2017

Hi looking for a search to find any unauthorized systems that are sitting on a network and the last login date.

richgalloway · ‎03-22-2017

To find unauthorized systems you'll first need a list of the authorized systems, perhaps in a lookup file. Then search to find ALL systems on your network and compare that list to the authorized list. The difference is the unauthorized systems.

---
If this reply helps you, Karma would be appreciated.

cjsweeney1 · ‎03-22-2017

Hey Rich,

You know a search string to find a particular hosts last ip "pull" is... I'm wondering if the last time it had a DHCP timestamp assigned is all I will be able to get.

richgalloway · ‎03-22-2017

I don't know that.

---
If this reply helps you, Karma would be appreciated.

cjsweeney1 · ‎03-22-2017

Hmmm.... could work. Could that lookup file be automatically updated? I was hoping enterprise security would have a report like this built-in.

richgalloway · ‎03-22-2017

Yes, it's possible to automatically update the lookup file.

---
If this reply helps you, Karma would be appreciated.

Search to find unauthorized host(s) last login date

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases