-
Notifications
You must be signed in to change notification settings - Fork 375
/
investigate_previous_unseen_user.yml
35 lines (35 loc) · 1.46 KB
/
investigate_previous_unseen_user.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
name: Investigate Previous Unseen User
id: ad114d5c-8079-4a84-a646-2fd00dfc07cc
version: 1
date: '2019-12-10'
author: Patrick Bareiss, Splunk
type: Investigation
datamodel:
- Authentication
description: This search returns previous unseen user, which didn't log in for 30
days.
search: '| tstats count `security_content_summariesonly` earliest(_time) as first_login
latest(_time) as last_login values(Authentication.dest) AS Authentication.dest values(Authentication.app)
AS Authentication.app values(Authentication.action) AS Authentication.action from
datamodel=Authentication where Authentication.action=success by _time, Authentication.user
| bucket _time span=30d | stats count min(first_login) as first_login max(last_login)
as last_login values(Authentication.dest) AS Authentication.dest by Authentication.user
| where count=1 | where first_login >= relative_time(now(), "-30d") | `security_content_ctime(first_login)`
| `security_content_ctime(last_login)` | `drop_dm_object_name("Authentication")`
| search dest=$dest$'
how_to_implement: To successfully implement this search you need to be ingesting authentication
logs from your various systems and populating the Authentication data model.
known_false_positives: ''
references: []
tags:
analytic_story:
- Credential Dumping
product:
- Splunk Phantom
required_fields:
- _time
- Authentication.dest
- Authentication.app
- Authentication.action
- Authentication.user
security_domain: endpoint