https://community.splunk.com/t5/Splunk-Search/Is-the-Enterprise-Security-ECSU-Remote-Desktop-Network/m-p/468781#M195720 <P>Hi Splunkers,</P> <P>I was wading through some of the Enterprise Security correlation searches and I noticed that the <EM>Remote Desktop Network Bruteforce</EM> search (defined in <EM>$SPLUNK_HOME/etc/apps/DA-ESS-ContentUpdate/default/savedsearches.conf</EM>) appears to be attempting to identify an anomalous count of RDP network connections by getting a <EM>count</EM> from <EM>tstats</EM>, then checking if 'count&gt;(stdev*2)'.</P> <P>Now I've never been particularly good at statistics, but I thought that a common method for detecting outliers was to check for values that were more than 2 (or 3) standard deviations <STRONG>from the mean</STRONG>, rather than more than 2 (or 3) standard deviations from zero?</P> <P>Most of the other outlier detection searches that I've seen do 'avg + (2 * stdev)' type constructs (like the <EM>ESCU - SMB Traffic Spike - Rule</EM> correlation search in that same file for instance), so I tried to find some statistics background information and found <EM>How to Use Statistics to Identify Outliers in Data</EM><A href="https://machinelearningmastery.com/how-to-use-statistics-to-identify-outliers-in-data/">1</A>, which mentions the 'Standard Deviation Method'. That goes on to say that the data can be 'normalised' so that the mean is zero, which I believe would explain the expression in the correlation search not taking <EM>avg</EM> in to account, but I can't see anything in that search query to 'normalise' the data (not that I'd know what that looked like, but it is just getting a straight <EM>count</EM> from <EM>tstats</EM> so I'm assuming it isn't normalised?).</P> <P>Also, to further back up my theory, the <EM>description</EM> field for the correlation search in the above-mentioned <EM>savedsearches.conf</EM> file states:</P> <BLOCKQUOTE> <P>This search looks for RDP application network traffic and filters any source/destination pair generating more than twice the standard deviation <STRONG>of the average traffic</STRONG></P> </BLOCKQUOTE> <P>So, thinking that this may actually be a bug, I checked for a later version of the <EM>ES Content Updates</EM> app (I'm running v1.0.38) and found v1.0.41. Downloading and checking that shows the same potential problem in v1.0.41 too.</P> <P>The following UNIX command will show any search string mentioning 'stdev' along with the stanza name (for the search name), for comparison -- some take the <EM>avg</EM> in to account and some don't:</P> <BLOCKQUOTE> <P>grep "[|[=|][^=|]*stdev" "$SPLUNK_HOME/etc/apps/DA-ESS-ContentUpdate/default/savedsearches.conf" |grep -B 1 "stdev"</P> </BLOCKQUOTE> <P>This isn't really a problem as such, because I can just redo the correlation search and add the calculated <EM>avg</EM> field. I'm just after some sort of confirmation as to whether or not the existing search string is correct, as it produces more notable events without using <EM>avg</EM> than with.</P> <P>Thanks,<BR /> Karl</P> Thu, 29 Aug 2019 05:17:03 GMT grashupfer 2019-08-29T05:17:03Z https://community.splunk.com/t5/Splunk-Search/Is-the-Enterprise-Security-ECSU-Remote-Desktop-Network/m-p/468781#M195720 <P>Hi Splunkers,</P> <P>I was wading through some of the Enterprise Security correlation searches and I noticed that the <EM>Remote Desktop Network Bruteforce</EM> search (defined in <EM>$SPLUNK_HOME/etc/apps/DA-ESS-ContentUpdate/default/savedsearches.conf</EM>) appears to be attempting to identify an anomalous count of RDP network connections by getting a <EM>count</EM> from <EM>tstats</EM>, then checking if 'count&gt;(stdev*2)'.</P> <P>Now I've never been particularly good at statistics, but I thought that a common method for detecting outliers was to check for values that were more than 2 (or 3) standard deviations <STRONG>from the mean</STRONG>, rather than more than 2 (or 3) standard deviations from zero?</P> <P>Most of the other outlier detection searches that I've seen do 'avg + (2 * stdev)' type constructs (like the <EM>ESCU - SMB Traffic Spike - Rule</EM> correlation search in that same file for instance), so I tried to find some statistics background information and found <EM>How to Use Statistics to Identify Outliers in Data</EM><A href="https://machinelearningmastery.com/how-to-use-statistics-to-identify-outliers-in-data/">1</A>, which mentions the 'Standard Deviation Method'. That goes on to say that the data can be 'normalised' so that the mean is zero, which I believe would explain the expression in the correlation search not taking <EM>avg</EM> in to account, but I can't see anything in that search query to 'normalise' the data (not that I'd know what that looked like, but it is just getting a straight <EM>count</EM> from <EM>tstats</EM> so I'm assuming it isn't normalised?).</P> <P>Also, to further back up my theory, the <EM>description</EM> field for the correlation search in the above-mentioned <EM>savedsearches.conf</EM> file states:</P> <BLOCKQUOTE> <P>This search looks for RDP application network traffic and filters any source/destination pair generating more than twice the standard deviation <STRONG>of the average traffic</STRONG></P> </BLOCKQUOTE> <P>So, thinking that this may actually be a bug, I checked for a later version of the <EM>ES Content Updates</EM> app (I'm running v1.0.38) and found v1.0.41. Downloading and checking that shows the same potential problem in v1.0.41 too.</P> <P>The following UNIX command will show any search string mentioning 'stdev' along with the stanza name (for the search name), for comparison -- some take the <EM>avg</EM> in to account and some don't:</P> <BLOCKQUOTE> <P>grep "[|[=|][^=|]*stdev" "$SPLUNK_HOME/etc/apps/DA-ESS-ContentUpdate/default/savedsearches.conf" |grep -B 1 "stdev"</P> </BLOCKQUOTE> <P>This isn't really a problem as such, because I can just redo the correlation search and add the calculated <EM>avg</EM> field. I'm just after some sort of confirmation as to whether or not the existing search string is correct, as it produces more notable events without using <EM>avg</EM> than with.</P> <P>Thanks,<BR /> Karl</P> Thu, 29 Aug 2019 05:17:03 GMT https://community.splunk.com/t5/Splunk-Search/Is-the-Enterprise-Security-ECSU-Remote-Desktop-Network/m-p/468781#M195720 grashupfer 2019-08-29T05:17:03Z