Logo

dev-resources.site

for different kinds of informations.

Splunk - SSH Dashboard Creation

Published at
11/29/2024
Categories
splunk
ssh
cybersecurity
Author
gabe-blog
Main Article
https://dev.to/gabe-blog/splunk-ssh-dashboard-creation-40dl
Categories
3 categories in total
splunk
open
ssh
open
cybersecurity
open
Author
9 person written this
gabe-blog
open
Splunk - SSH Dashboard Creation

Walk-through of the Splunk queries used to create a dashboard in Splunk using SSH telemetry that includes:

  • Top account failed
  • Top Source IP
  • Number of failed attempts by user
  • Successful logins
  • Heat map for all external activity

Image description(Part of MyDFIR SOC Analyst Lab 1)

Query 1: index=mydfir-lab1 failed host=linuxvm source="auth.log" sourcetype=linux_auth_logs | top user can limit results with | top limit=

Visualization: Single Value
Panel Title: Top Failed Account

Shows us the name of the user with the top number of failed log in attempts.

Searching for:

  • Logs that are related to authentication (password acceptance)
  • From the "auth.log" file
  • On a specific machine called "linuxvm"
  • With logs of type "linux_auth_logs"

We're also using Splunk's built-in top command to find the top 20 users (user) that have attempted to log in. In other words, we're identifying the most frequent login attempts by username. This can be helpful for security teams to identify potential threats or suspicious activity. By using the limit=20, we're limiting our results to only show the top 20 users with the highest frequency of login attempts.

Query 2:
index=mydfir-lab1 failed host=linuxvm source="auth.log" sourcetype=linux_auth_logs | top limit=20 src_ip

Visualization: Single Value
Panel Title: Top Source IP

Replacing user with src_ip to show us the top source IP address of the failed login attempts. Again, we're using the top command to find the top 20 source IP addresses (src_ip) that have attempted to log in instead.

Query 3:

index=mydfir-lab1 failed host=linuxvm source="auth.log" sourcetype=linux_auth_logs | stats count by user | sort -count

Visualization: Statistics Table
Panel Title: Failed Attempts by User

Shows stats for failed login attempts by users. Use the stats command to count the number of times each username has attempted to log in. Finally, we're sorting our results in descending order (-count) so that we can see which usernames have attempted to log in the most frequently.

Query 4:

index=mydfir-lab1 host=linuxvm source="auth.log" sourcetype=linux_auth_logs msg="Accepted password" | iplocation src_ip| stats count by _time, Country, user, src_ip

Visualization: Statistics Table
Panel Title: Successful Attempts by User

Here we are using anothing built-in Splunk command, iplocation, to approximately geolocate the source IP addresses. Stats command to look for stats for successful logins grouping our results by _time, Country, user, and src_ip (geolocated location) and counting how many times each unique combo appears.

Query 5:
index=mydfir-lab1 host=linuxvm | iplocation src_ip |stats count by Country | geom geo_countries allFeatures=True featureIdField=Country

Visualization: Choropleth Map
Format > Colors > Color Mode: Categorical
Panel Title: Heat Map Network Activity

Finally we use the built-in geom command to visualize the geographic distribution of our results. We're creating a map that shows the countries we've geolocated, with each country represented by a marker on the map. The size and color of the markers will depend on the count value (i.e., how many times each country was seen in our logs).

splunk Article's
30 articles in total
Favicon
10 Splunk SQL Interview Questions (Updated 2025)
Favicon
Log Analysis | Compromised wordpress | Privilege Escalation | Blue team labs online
Favicon
Log Analysis | Sysmon | Blue Team Labs Online
Favicon
Splunk - SSH Dashboard Creation
Favicon
What Is Splunk? A Definitive Guide for Beginners
Favicon
Automating Linux Distribution Updates with Ansible and Monitoring with Splunk
Favicon
How To Make A Custom Splunk Command
Favicon
OpenObserve - 140x lower storage cost for logs than Elasticsearch
Favicon
Building a professional website with Splunk integration on AWS (Part 1)
Favicon
Splunk: Building a Secure Monitoring Solution (Part 2)
Favicon
Splunk: Building a Secure Monitoring Solution (Part 1)
Favicon
Setting up a single Splunk Forwarder to send different data to multiple indexes
Favicon
Introduction to Splunk Certification.
Favicon
As quatro fases do Splunk: input, parsing, indexing e searching.
Favicon
Meu primeiro Lab com splunk
Favicon
How To Install & Manage Splunk Universal Forwarder in AWS Ec2
Favicon
Enrich Splunk events with Steampipe
Favicon
Display CockroachDB metrics in Splunk Dashboards
Favicon
Splunk logo in python
Favicon
Is Splunk Certification Worth It?
Favicon
Why Splunk Certification is a Top Skill for Data Scientists
Favicon
3 Common Challenges Faced When Deploying Splunk
Favicon
Tips about Splunk Timecharts
Favicon
seeking help in regex
Favicon
Splunk Alert on Percentage Change in text Field Frequency
Favicon
Auth0 and Splunk Provide Enhanced Security and Operational Monitoring and Insights
Favicon
Splunk: AWS CloudWatch Log Ingestion - Part 2 - Splunk Add-On for AWS
Favicon
Splunk: AWS CloudWatch Log Ingestion - Part 1 - Introduction & Setup
Favicon
Splunk Tutorial | What Is Splunk | Splunk Tutorial For Beginners - Intellipaat
Favicon
Trying out Splunk in a Docker Container

Featured ones:

Favicon
Open
abubakersiddique761
Favicon
Open
0x3d_site
Favicon
Open
0x2e_tech
Favicon
Open
0x4c-quest
Favicon
Open
gittech