topic search index for IP correlation in Splunk Search

search index for IP correlation

ldunzweiler — Mon, 09 Mar 2020 18:53:47 GMT

I am trying to do this logic. Each "IF" I can do separately no issue. However, I am not sure how to combine these two searches together as the second search is based off the output of the first.

IF we see more than 10 failed events (1201 OR 1203)

THEN IF we see more than 2 different users

    print ForwardedIP

    Pipe
        IF we see successful events (1200 OR 1202)

            Print Usernames

The searches basically consist of

index="auth" EventCode=1201 OR EventCode=1203 | rex "(?[^<]+)" | rex "(?[^<]+)" | stats values(UserId) as UserId by ForwardedIpAddress

And then EventCode 1200 and 1202 for successful auth.

If we see bad auths with multiple users from the same IP, and then we see a successful auth we want to know about it.

Re: search index for IP correlation

xavierashe — Mon, 09 Mar 2020 19:39:34 GMT

Give map at try.

index="auth" EventCode=1201 OR EventCode=1203 | rex "(?[^\<]+)" | rex "(?[^\<]+)" | stats values(UserId) as UserId by ForwardedIpAddress | map search="search index=auth EventCode=1200 OR EventCode=1202 UserId=$UserId$"

Re: search index for IP correlation

skoelpin — Mon, 09 Mar 2020 19:41:16 GMT

Try something like this

| stats count user_count by UserId, EventCode, ForwardedIpAddress
| eval NEW_FIELD=if(user_count>=2 AND (EventCode=1201 OR EventCode=1202),"Multiple users, same IP","Nothing to see here")

Re: search index for IP correlation

skoelpin — Mon, 09 Mar 2020 19:43:59 GMT

Not a good idea to use map here.. You're already filtering down the eventcode's in the base of the search and iterating against each user_id field. What happens if there's hundreds of thousands of users? This is going to crush performance and does not scale well. Better approach is to use stats and pre-process the data and feed that into a conditional statement

Re: search index for IP correlation

woodcock — Tue, 10 Mar 2020 05:58:05 GMT

Like this:

index="auth" AND (EventCode="1201" OR EventCode="1203" OR EventCode="1200" OR EventCode="1202")
| rex GarbledWhatever
| stats count(eval(EventCode="1201" OR EventCode="1203")) AS failed count(eval(EventCode="1200" OR EventCode="1202")) AS successful values(UserId) AS UserId dc(UserId) AS userCount BY ForwardedIpAddress
| where userCount>2 AND failed>10 AND successful>0