Watch List In Splunk

Placeholder Image

This is a simple way to put someone on a watchlist, it is not only external threats, but internal ones as well, and this is useful to see if anyone is exfiltrating sensitive files or trying to connect to un-authorised hosts.

Try to look, logs without Splunk, this will take you ages, life will have evolved by then.

In one click you get a digital footprint of the person on the watch list, you get a quick check of login success’s and failure’s,  a list of the commands they have been running, and the hosts they have been trying to login into.

Create a lookup, authorised_users.csv, add to lookup folder, and then create a simple dashboard, which uses drop down input from the csv file and create the widgets as required.



Create a token base on the user, and run search examples such as below.

| from datamodel: “Authentication”.”Failed_Authentication” | search user=$user_token$ | stats count



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s