Walk-through of the Splunk queries used to create a dashboard in Splunk using SSH telemetry that includes:
- Top account failed
- Top Source IP
- Number of failed attempts by user
- Successful logins
- Heat map for all external activity
(Part of MyDFIR SOC Analyst Lab 1)
Query 1: index=mydfir-lab1 failed host=linuxvm source="auth.log" sourcetype=linux_auth_logs | top user can limit results with | top limit=
Visualization: Single Value
Panel Title: Top Failed Account
Shows us the name of the user with the top number of failed log in attempts.
Searching for:
- Logs that are related to authentication (password acceptance)
- From the "auth.log" file
- On a specific machine called "linuxvm"
- With logs of type "linux_auth_logs"
We're also using Splunk's built-in top command to find the top 20 users (user) that have attempted to log in. In other words, we're identifying the most frequent login attempts by username. This can be helpful for security teams to identify potential threats or suspicious activity. By using the limit=20, we're limiting our results to only show the top 20 users with the highest frequency of login attempts.
Query 2:
index=mydfir-lab1 failed host=linuxvm source="auth.log" sourcetype=linux_auth_logs | top limit=20 src_ip
Visualization: Single Value
Panel Title: Top Source IP
Replacing user with src_ip to show us the top source IP address of the failed login attempts. Again, we're using the top command to find the top 20 source IP addresses (src_ip) that have attempted to log in instead.
Query 3:
index=mydfir-lab1 failed host=linuxvm source="auth.log" sourcetype=linux_auth_logs | stats count by user | sort -count
Visualization: Statistics Table
Panel Title: Failed Attempts by User
Shows stats for failed login attempts by users. Use the stats command to count the number of times each username has attempted to log in. Finally, we're sorting our results in descending order (-count) so that we can see which usernames have attempted to log in the most frequently.
Query 4:
index=mydfir-lab1 host=linuxvm source="auth.log" sourcetype=linux_auth_logs msg="Accepted password" | iplocation src_ip| stats count by _time, Country, user, src_ip
Visualization: Statistics Table
Panel Title: Successful Attempts by User
Here we are using anothing built-in Splunk command, iplocation, to approximately geolocate the source IP addresses. Stats command to look for stats for successful logins grouping our results by _time, Country, user, and src_ip (geolocated location) and counting how many times each unique combo appears.
Query 5:
index=mydfir-lab1 host=linuxvm | iplocation src_ip |stats count by Country | geom geo_countries allFeatures=True featureIdField=Country
Visualization: Choropleth Map
Format > Colors > Color Mode: Categorical
Panel Title: Heat Map Network Activity
Finally we use the built-in geom command to visualize the geographic distribution of our results we're creating a map that shows the countries we've geolocated, with each country represented by a marker on the map. The size and color of the markers will depend on the count value (i.e., how many times each country was seen in our logs).
Top comments (0)