Fundamentals

'()*+, :*+9;<7+5;)6 % >;? @A71.2676 >;? 5B(C31;(42.;) .C+87+52C+6D Esourcetype=db_audit F GH Ecs_mime_type F 2+92.;576 725471 ; 6C*1.7 5B(7 C1 547 +;<7 CI ; I27)9/ AB"C6

>;? RC1, R2)) ?7 9C+7 C+ BC*1 (716C+;) .C<(*571 C1 8215*;) 8215*;) <;.42+7Q +C );? 7+821C+<7+5 26 (1C82979/ K7 6*33765 BC* DB AB" 9C AB" 9C 547 );? RC1, C+ BC*1 (1C9*.52C+ 7+821C+<7+5/

J47 );? 2+651*.52C+6 17I71 5C 54767 6C*1.7 5B(76 ?B 547 5B(76 CI 9;5; 547B 17(1767+5D "#

%$&'()*%+#

%$,-%./0 '1 -2+%)%0+

K7? 0(()2.;52C+

access_combined_wcookie

action, bytes, categoryId, clientip, itemId, JSESSIONID, productId, referer, referer_domain, status, useragent, file

L;5;?;67

db_audit

Command, Duration, Type

K7? 671871

linux_secure

COMMAND, PWD, pid, process

>;? MC9*)7 %N O P17;52+3 0)7156 EF@AGAH6

J426 );? R2)) +C5 RC1, R254 ; I177 )2.7+67/ =)7;67 C+)B 9C 5426 );? 2I BC*1 512;) )2.7+67 4;6 +C5 .C+871579 5C ; I177 )2.7+67/

AB"C6

J426 );? 9C.*<7+5 4;6 5RC 67.52C+6/ 67.52C+6/ J47 I2165 67.52C+ 2+.)*976 547 2+651*.52C+6 R254C*5 ;+6R716/ J47 67.C+9 67.52C+ 2+.)*976 2+651*.52C+6 R254 547 7A(7.579 67;1.4 6512+3 U;+6R71V 2+ 179 179// J426 .C*167 R2)) *67 2+571+;) '()*+, 9;5; ;+9 17W*217 ;+ 09<2+ ;..C*+5/ L76.12(52C+ -+ 5426 );? 7A71.267Q BC* R2)) .17;57 ;+9 5123371 ;+ ;)715 54;5 R2)) 926();B 2+ 547 '()*+, 2+571I;.7/ &*%23)-'DD &*%23)-'

:C1 67.*125B 17;6C+6Q BC* +779 5C
"304 56 78329% (0%) 3**'(2+ 32/ )(2 3 03:$.% 0%3)*8; >C3 C*5 CI '()*+, @+571(1267 *62+3 547 (23:% < ='9'(+ <7+*/ ='9'(+ <7+*/ @+571 admin IC1 *671 +;<7 ;+9 547 (;66RC19 CI WrongPassword. TCRQ 7+571 admin IC1 *671 +;<7 ;+9 547 (;66RC19 BC* 67)7.579 2+ MC9*)7 N/ T;823;57 5C 547 '7;1.4 827R/ U-I BC* ;17 2+ 547 >':% >':% ;((Q ;((Q .)2., &%3)*8 ? @%$')+-29 I1C< @%$')+-29 I1C< 547 .C)*<+ C+ 547 )7I5 6297 CI 547 6.177+/ SC* .;+ ;)6C ;..766 547 '7;1.4 827R ?B .)2.,2+3 547 &%3)*8 &%3)*8 <7+* <7+* C(52C+ C+ 547 3177+ ?;1 ;5 547 5C( CI 547 6.177+/V " #$%& '()*+, -+./ 0)) 123456 17671879/

'()*+, :*+9;<7+5;)6 %

=;37 %

'7;1.4 547 _audit 2+97A IC1 787+56 R4717 547 action CI "login attempt" 175*1+79 ; Xfailed" info 8;)*7 IC1 547 username CI admin C871 547 =30+ 5I J-2(+%0/ !"#$%&' )'*+&,*-

"304 K6 7)%3+% 32 3.%)+; :1C< 547 &3L% F0 <7+*Q 67)7.5 F.%)+; J25)7 547 ;)715D Splunk Web Login Attempts :C1 M%):-00-'20Q 67)7.5 &83)%/ -2 F$$/ :C1 F.%)+ +#$%Q 67)7.5 @%3.N+-:%/ :C1 ")-99%) 3.%)+ O8%2Q 67)7.5 A(:P%) '1 @%0(.+0/ '75 547 +*-98/ !"#$%&'-

P)2., &3L% ;+9 P)2., Q-%O F.%)+; "304 R6 "%0+ 3.%)+; >C3 C*5 CI '()*+, @+571(1267 *62+3 547 F/:-2-0+)3+') < ='9'(+ <7+*/ " #$%& '()*+, -+./ 0)) 123456 17671879/

'()*+, :*+9;<7+5;)6 %

=;37 #

@+571 admin IC1 *671 +;<7 ;+9 547 (;66RC19 CI WrongPassword 54177 52<76 2+ ; 1CR/ TCRQ 7+571 admin IC1 *671 +;<7 ;+9 547 .C117.5 (;66RC19/ :1C< 547 '()*+, ?;1Q .)2., F*+-L-+# Y ")-99%)%/ F.%)+0/ M;,7 6*17 &%3)*8 ? @%$')+-29 26 67)7.579 IC1 F$$; !"#$%&'-

P)2., 547 Q-%O )%0(.+0 )2+, C+ ; 512337179 ;)715 5C 677 547 787+5U6V 54;5 .;*679 547 ;)715/

" #$%& '()*+, -+./ 0)) 123456 17671879/

'()*+, :*+9;<7+5;)6 %

=;37 N

'()*+, :*+9;<7+5;)6 % >;? @A71.2676 >;? 5B(C31;(42.;) .C+87+52C+6D Esourcetype=db_audit F GH Ecs_mime_type F 2+92.;576 725471 ; 6C*1.7 5B(7 C1 547 +;<7 CI ; I27)9/ AB"C6

>;? QC1, Q2)) ?7 9C+7 C+ BC*1 (716C+;) .C<(*571 C1 8215*;) <;.42+7R +C );? 7+821C+<7+5 26 (1C82979/ K7 6*33765 BC* DB AB" 9C 547 );? QC1, C+ BC*1 (1C9*.52C+ 7+821C+<7+5/

J47 );? 2+651*.52C+6 17I71 5C 54767 6C*1.7 5B(76 ?B 547 5B(76 CI 9;5; 547B 17(1767+5D "#

%$&'()*%+#

%$,-%./0 '1 -2+%)%0+

K7? 0(()2.;52C+

access_combined_wcookie

action, bytes, categoryId, clientip, itemId, JSESSIONID, productId, referer, referer_domain, status, useragent, file

L;5;?;67

db_audit

Command, Duration, Type

K7? 671871

linux_secure

COMMAND, PWD, pid, process

>;? MC9*)7 %N O P17;52+3 0)7156 Q254 'C)*52C+6 EF@AGAH6

J426 );? Q2)) +C5 QC1, Q254 ; I177 )2.7+67/ =)7;67 C+)B 9C 5426 );? 2I BC*1 512;) )2.7+67 4;6 +C5 .C+871579 5C ; I177 )2.7+67/

AB"C6

J426 );? 9C.*<7+5 4;6 5QC 67.52C+6/ J47 I2165 67.52C+ 2+.)*976 547 2+651*.52C+6 Q254C*5 ;+6Q716/ J47 67.C+9 67.52C+ 2+.)*976 2+651*.52C+6 Q254 547 7A(7.579 67;1.4 6512+3 U;+6Q71V 2+ 179/ J426 .C*167 Q2)) *67 2+571+;) '()*+, 9;5; ;+9 17W*217 ;+ 09<2+ ;..C*+5/ L76.12(52C+ -+ 5426 );? 7A71.267R BC* Q2)) .17;57 ;+9 5123371 ;+ ;)715 54;5 Q2)) 926();B 2+ 547 '()*+, 2+571I;.7/ &*%23)-'D

:C1 67.*125B 17;6C+6R BC* +779 5C
"304 56 78329% (0%) 3**'(2+ 32/ )(2 3 03:$.% 0%3)*8; >C3 C*5 CI '()*+, @+571(1267 *62+3 547 (23:% < ='9'(+ <7+*/ @+571 admin IC1 *671 +;<7 ;+9 547 (;66QC19 CI WrongPassword. TCQR 7+571 admin IC1 *671 +;<7 ;+9 547 (;66QC19 BC* 67)7.579 2+ MC9*)7 N/ T;823;57 5C 547 '7;1.4 827Q/ U-I BC* ;17 2+ 547 >':% ;((R .)2., &%3)*8 ? @%$')+-29 I1C< 547 .C)*<+ C+ 547 )7I5 6297 CI 547 6.177+/ SC* .;+ ;)6C ;..766 547 '7;1.4 827Q ?B .)2.,2+3 547 &%3)*8 <7+* C(52C+ C+ 547 3177+ ?;1 ;5 547 5C( CI 547 6.177+/V " #$%& '()*+, -+./ 0)) 123456 17671879/

'()*+, :*+9;<7+5;)6 %

=;37 %

'7;1.4 547 _audit 2+97> ?@1 787+56 A4717 547 action @? "login attempt" 175*1+79 ; Bfailed" info 8;)*7 ?@1 547 username @? admin @871 547 !"#$ &' ()*+$,#/ C2+97>DE;*925 ;.52@+DB)@32+ ;557<(5B 2+?@D?;2)79 *671D;9<2+F !"#$%&' )'*+&,*-

-"#. /0 12,"$, "* "3,2$4 :1@< 547 5"6, 7# <7+*G 67)7.5 73,2$4 H25)7 547 ;)715I Splunk Web Login Attempts :@1 8,29)##):*#G 67)7.5 5;"2,< )* 7==/ :@1 73,2$ $>=,G 67)7.5 ?,"3@$)9,/ :@1 -2)AA,2 "3,2$ B;,*G 67)7.5 C+9D,2 :E ?,#+3$#/ '75 547 +*/ :@1 5+==2,## 2,#+3$# G:*$")*)*A E),3< 6"3+,G 5L(7I host M;,7 6*17 5+==2,## $2)AA,2)*A ?@1 26 675 5@ 60 67.@+96/ K)2., 7<< 7G$):*# ;+9 67)7.5 7<< $: -2)AA,2,< 73,2$#/ '75 547 5,6,2)$> 5@ H)A;/ !"#$%&'-

K)2., 5"6, ;+9 K)2., I),B 73,2$4

" #$%& '()*+, -+./ 0)) 123456 17671879/

'()*+, :*+9;<7+5;)6 %

=;37 #

!"#$ &' !(#) "*(+), ?@3 @*5 @A '()*+, B+571(1267 *62+3 547 -./010#)+")2+ 3 42526) <7+*/ B+571 admin A@1 *671 +;<7 ;+9 547 (;66C@19 @A WrongPassword 54177 52<76 2+ ; 1@C/ D@CE 7+571 admin A@1 *671 +;<7 ;+9 547 [email protected] (;66C@19/ :1@< 547 '()*+, F;1E .)2., -7)080)9 G !+055(+(. -*(+)#/ H;,7 6*17 :("+7; < =(>2+)015 26 67)7.579 A@1 ->>, !"#$%&'(

I)2., 547 ?0(@ +(#6*)# )2+, @+ ; 512337179 ;)715 5@ 677 547 787+5J6K 54;5 .;*679 547 ;)715/

" #$%& '()*+, -+./ 0)) 123456 17671879/

'()*+, :*+9;<7+5;)6 %

=;37 >

Fundamentals

Recommend Documents