https://community.splunk.com/t5/Splunk-Enterprise-Security/Separating-Kerberos-Events-in-Datamodel-Authentication/m-p/399516#M4515 <P>If you don't need Logon Process: Kerberos events, you can filter them in the universal forwarder on the windows server using blacklist to filter 4624 with kerberos.</P> <P>On the other hand, if you do not want to filter them (as they may be required for forensics/analysis of auth processes during incident), you can define a custom field in the Authentication datamodel and map logon process which can be used to filter in your tstats search .</P> Wed, 16 Jan 2019 14:57:37 GMT lakshman239 2019-01-16T14:57:37Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Separating-Kerberos-Events-in-Datamodel-Authentication/m-p/399515#M4514 <P>Greetings--</P> <P>Kerberos will attempt to impersonate a user by requesting tickets from the Domain Controllers on any domain joined computers OR if a user is logging into a .NET web service, this generates a LOT of noise and triggers our Brute Force, Excessive Login, and Geographically Improbable Access notables.<BR /> The goal is to clean-up and/or suppress <STRONG>Notable Events</STRONG> within <STRONG>Enterprise Security</STRONG> that are related to Kerberos.</P> <P>Looking at:</P> <PRE><CODE> |from datamodel:"Authentication"."Authentication" | search kerberos </CODE></PRE> <P>We see that each kerberos logon process contains 3 event codes AS signature_id:<BR /> 4624<BR /><BR /> 4769<BR /><BR /> 4768</P> <P>For the latter two, </P> <P>4769:--<BR /> TaskCategory=Kerberos Service Ticket Operations</P> <P>4768:--<BR /> TaskCategory=Kerberos Authentication Service</P> <P>I can modify the Correlation Searches to filter event 4768 or 4769 as they relate exclusively to Kerberos.<BR /> e.g.</P> <PRE><CODE>| `tstats` min(_time),earliest(Authentication.app) from datamodel=Authentication.Authentication where Authentication.action="success" AND Authentication.signature_id!="4768" AND Authentication.signature_id!="4768" by Authentication.src,Authentication.user [...and so forth...] </CODE></PRE> <P>The issue: <BR /> Events 4624 are generated for ANY logon event, kerberos or otherwise.<BR /> Looking at a RAW event, I see that 4624: contains a field: Logon Process: Kerberos:</P> <PRE><CODE>Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: Package Name (NTLM only): Key Length: 0 </CODE></PRE> <P>This is properly extracted on index="wineventlog:security" but does not seem to be so when we do a search against the datamodel (which is primarily CIM fields).</P> <P>Question:<BR /> How else can I isolate these events and use them in Correlation Searches?</P> Tue, 15 Jan 2019 19:14:09 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Separating-Kerberos-Events-in-Datamodel-Authentication/m-p/399515#M4514 richardphung 2019-01-15T19:14:09Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Separating-Kerberos-Events-in-Datamodel-Authentication/m-p/399516#M4515 <P>If you don't need Logon Process: Kerberos events, you can filter them in the universal forwarder on the windows server using blacklist to filter 4624 with kerberos.</P> <P>On the other hand, if you do not want to filter them (as they may be required for forensics/analysis of auth processes during incident), you can define a custom field in the Authentication datamodel and map logon process which can be used to filter in your tstats search .</P> Wed, 16 Jan 2019 14:57:37 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Separating-Kerberos-Events-in-Datamodel-Authentication/m-p/399516#M4515 lakshman239 2019-01-16T14:57:37Z