General Information
Preference Documentation
Log Data Documentation
- Log Data Examples
- Interesting Types of Events
  - SSH Logins and Activity
Related Tech and Configurations
- macOS
Compliance
- cmdReporter and US Govt Standards Details
  - How cmdReporter Meets CMMC, DFARS, and NIST 800-171 Requirements
  - NIST 800-53r4 (high) controls met by using cmdReporter
- Security Baseline Reporting Preferences
  - Security Benchmark Reporting Logs

SSH Logins and Activity

Daniel Griggs

Modified on: Fri, 13 Nov, 2020 at 1:06 PM

Key Fields

subject.terminal_id.ip_address

IP address of the remotely controlling computer. Any actions done while in an ssh session will be tagged with the remote IP. Any local actions will have a value of 0.0.0.0

Filter and Refinement Fields

host_info.host_name (or host_uuid)

Filter and sort events based on which host they occurred on

exec_chain.thread_uuid

Follow a process execution tree linked together with a single thread_uuid. "What did that script just do" is a common question easily answered by searching the script's thread_uuid

Interesting Events

AUE_SESSION_START

Generated any time a new user session is created

AUE_openssh

Generated any time a user successfully connects to the locally listening ssh service

Example Searches

// Searches are in Splunk's search format

All events with a remotely controlling computer:

NOT subject.terminal_id.ip_address=0.0.0.0

exec_chain.thread_uuid and child processes associated with each originating application.

(index="cmdreporter") parent_process="*" NOT subject.terminal_id.ip_address=0.0.0.0 
| eval Destination=coalesce(app,'path.1','subject.process_name')
| stats values(Destination), values(exec_chain.thread_uuid), values(host_info.host_name) count by parent_process
| rename values(Destination) as Application, parent_process as "Originating App",values(exec_chain.thread_uuid) as "Thread UUIDs", values(host_info.host_name) as Hosts
| table count, Hosts, "Originating App" "Thread UUIDs", Application
| sort count