Techniques
Sample rules
Detect New Login Attempts to Routers
- source: splunk
- technicques:
Description
The search queries the authentication logs for assets that are categorized as routers in the ES Assets and Identity Framework, to identify connections that have not been seen before in the last 30 days.
Detection logic
| tstats `security_content_summariesonly` count earliest(_time) as earliest latest(_time) as latest from datamodel=Authentication where Authentication.dest_category=router by Authentication.dest Authentication.user
| eval isOutlier=if(earliest >= relative_time(now(), "-30d@d"), 1, 0)
| where isOutlier=1
| `security_content_ctime(earliest)`
| `security_content_ctime(latest)`
| `drop_dm_object_name("Authentication")`
| `detect_new_login_attempts_to_routers_filter`