topic Re: Need help making a swimlane for All Privileged Authentication Attempts in Security

Need help making a swimlane for All Privileged Authentication Attempts

MikeVenable — Sat, 03 Aug 2019 07:09:48 GMT

I'm trying to make a Swimlane search to use the Authentication Datamodel, and the Privileged Authentication Dataset, and only return users entered into the identity investigator.

This is what I have so far. Thanks!

| tstats summariesonly values(Authentication.action) as action,values(Authentication.app) as app,values(Authentication.src) as src,values(Authentication.dest) as dest,values(Authentication.user) as user,count from datamodel=Authentication.Authentication where $constraints$ by _time span=$span$

Re: Need help making a swimlane for All Privileged Authentication Attempts

DavidHourani — Sun, 04 Aug 2019 08:36:58 GMT

Which app are you using ? Are you on https://splunkbase.splunk.com/app/3708/ ?

Re: Need help making a swimlane for All Privileged Authentication Attempts

MikeVenable — Mon, 05 Aug 2019 23:52:55 GMT

ES, I'm just making a swimlane search. https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Createswimlanesearches

Re: Need help making a swimlane for All Privileged Authentication Attempts

MikeVenable — Wed, 30 Sep 2020 01:38:40 GMT

This search pulls all Authentication attempts from the Authentication datamodel,

| tstats summariesonly values(Authentication.action) as action,values(Authentication.app) as app,values(Authentication.src) as src,values(Authentication.dest) as dest,values(Authentication.user) as user,count from datamodel=Authentication.Authentication where $constraints$ by _time span=$span$

I just need this search refined to only pull Privileged Authentication Attempts, from the Privileged_Authentication dataset from the authentication datamodel but just changing datamodel=Authentication.Authentication to datamodel=Authentication.Privileged_Authentication doesn't work, because I get the error Error in 'DataModelCache': Invalid or unaccelerable root object for datamodel

The $constraints$ should be the same because the dataset Inherits the datamodel constraints. Or atleast that's how I understand it...

Re: Need help making a swimlane for All Privileged Authentication Attempts

DavidHourani — Tue, 06 Aug 2019 05:57:33 GMT

Are you using this in the $contraints$ variable : (nodename = Authentication.Privileged_Authentication) ?

Your search should look like this :

... datamodel=Authentication where (nodename = Authentication.Privileged_Authentication) ...

Re: Need help making a swimlane for All Privileged Authentication Attempts

MikeVenable — Tue, 06 Aug 2019 19:19:34 GMT

Yeah we tried this

| tstats summariesonly values(Authentication.action) as action,values(Authentication.app) as app,values(Authentication.src) as src,values(Authentication.dest) as dest,values(Authentication.user) as user,values(Authentication.tag) as tag,count from datamodel=Authentication where (nodename = Authentication.Privileged_Authentication $constraints$ by _time span=$span$)

It "Works" as in when you search for it via search it will return results, but it still wont return any swimlane results...

Does swimlane have to be tstats?

Re: Need help making a swimlane for All Privileged Authentication Attempts

MikeVenable — Tue, 06 Aug 2019 19:59:19 GMT

Got it to work, I just had to turn off acceleration since we were filtering with WHERE, and search filters can not be applied to accelerated datamodels! Thanks for the help. Below is the finale SPL.

| tstats summariesonly values(Authentication.action) as action,values(Authentication.app) as app,values(Authentication.src) as src,values(Authentication.dest) as dest,values(Authentication.user) as user,values(Authentication.tag) as tag,count from datamodel=Authentication where nodename = Authentication.Privileged_Authentication $constraints$ by _time span=$span$