Alerting

Why can I not see events from tstats?

HathMH
Path Finder

First of all I am new to cyber, and got splunk dumped in my lap. I am really trying to get knowledgeable on it but
1) I am horrible with coding and apparently that includes Regex
2) Long lines of code or search strings is like sensory overload to me

That being said, I am trying to clean up our alerts as we are getting bogged down daily with well over 3k alerts that could most likely be expunged. Many of our alerts are based on tstat search strings. It shows a great report but I am unable to get into the nitty gritty. For example, the brute force string below, it brings up a Statistics table with various elements (src, dest, user, app, failure, success, locked) showing failure vs success counts for particular users who meet the criteria in the string. 

My issue, I try to click on a user, choose view events, brings up new search with a modified string (of course) but still only shows tstats table, but with different headers (action, src, det, user, app, count, failure, success). 

What I would like to do is when I click to choose view event for a particular user, it actually shows me that even and correlating log input. Is this possible? Why would I want an brute force alert if I cannot narrow down to the events, especially the failure logins?

Again, please have mercy, I am entry level and still learning splunk. I love the apps and abilities it has but using the search box is like i lost all my intelligence.


The brute force search

| tstats `summariesonly` values(Authentication.app) as app,count from datamodel=Authentication.Authentication by Authentication.action, Authentication.src, Authentication.dest, Authentication.user
| `drop_dm_object_name("Authentication")`
| search user!=unknown user!=SYSTEM app!=splunkd_remote_searches src!=MWG* user!=TWC-*
| eval success=if(action="success",count,0),failure=if(action="failure",count,0)
| stats values(dest) as dest, values(user) as user, values(app) as app, sum(failure) as failure, sum(success) as success by src
| join user [search index=top_wineventlog EventCode=4740 | eventstats count(user) as locked_count by user | dedup user, host | table user, locked_count]
| search failure>30 success>0
| where failure>success

 

Labels (2)
0 Karma

gcusello
Esteemed Legend

Hi @HathMH,

tstats is a command that works on indexed fields, this means that you cannot access the row data (for more infos see at https://docs.splunk.com/Documentation/Splunk/9.0.0/SearchReference/Tstats ).

Usually when an alert is created (I suppose that you're using ES) there's also a drilldown search created just to access the row data.

If you haven't you can create a search that use as filter your tstats rule, something like this:

index=* [ 
   | tstats `summariesonly` values(Authentication.app) as app,count from datamodel=Authentication.Authentication by Authentication.action, Authentication.src, Authentication.dest, Authentication.user
   | `drop_dm_object_name("Authentication")`
   | search user!=unknown user!=SYSTEM app!=splunkd_remote_searches src!=MWG* user!=TWC-*
   | eval 
    success=if(action="success",count,0),failure=if(action="failure",count,0)
   | stats values(dest) as dest, values(user) as user, values(app) as app, sum(failure) as failure, sum(success) as success by src
   | join user [search index=top_wineventlog EventCode=4740 | eventstats count(user) as locked_count by user | dedup user, host | table user, locked_count]
   | search failure>30 success>0
   | where failure>success 
   | fields dest user app src ]

Ciao.

Giuseppe

HathMH
Path Finder

Thank you, I tried that and it errors out. I may play around with that index=* [] and see what happens

0 Karma

gcusello
Esteemed Legend

Hi @HathMH,

ok, tell me if you solved and please accept the answer for the other people of Community or otherwise, telle me how to help you.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...