All Apps and Add-ons

InfoSec app for Splunk - How do you see events?

eliasit
Path Finder

Hello Splunkers,
I have the InfoSec for Splunk App (https://splunkbase.splunk.com/app/4240/#/overview) installed and working. I'm getting data into it and it is using that data. My issue is that when I go to an alert (any alert) it will show me the stats but not any of the actual events. (Yes it is in verbose mode) The events tab shows X number of events but when I click the events tab it says "no results". I think (please correct me if I'm wrong) this is normal behavior if using the tstats command, so how can I look at the actual events the search is finding?

I don't have enough karma points to add screenshots but this is the search the alert is using.

| tstats summariesonly=t allow_old_summaries=t count from datamodel=Authentication by Authentication.action, Authentication.src
| rename Authentication.src as source, Authentication.action as action
| chart last(count) over source by action
| where success>0 and failure>20
| sort -failure
| rename failure as failures
| fields - success, unknown

For my data this returns 2 IPs and the number of failures for each. I think that these are false positives (some app, utility, script, etc. with an old password) but need to see the actual events to be certain.
Thanks for taking the time to read this.

System details
Stand-alone Splunk Enterprise 7.3
InfoSec app version 1.4
CIM version 4.11

1 Solution

igifrin_splunk
Splunk Employee
Splunk Employee

Hello @eliasit, you are correct - tstats will not show you raw events. That's by design as tstats in this case uses an accelerated data model and does not touch raw events. That lets you report on millions or billions events in seconds.

If you are after drilling down into the details of the Brute Force Attack report like the one on the screenshot below

alt text

you can do a couple of things:

  1. Click on the source (IP or hostname). It will take you to the investigation dashboard where you can see the successful and failed authentications charts. Click on an element of a chart to get to the raw events.
  2. Modify the tstats search string to something that does not use tstats:

    tag=authentication
    | stats count by action, src
    | chart last(count) over src by action
    | where success>0 and failure>20

View solution in original post

igifrin_splunk
Splunk Employee
Splunk Employee

Hello @eliasit, you are correct - tstats will not show you raw events. That's by design as tstats in this case uses an accelerated data model and does not touch raw events. That lets you report on millions or billions events in seconds.

If you are after drilling down into the details of the Brute Force Attack report like the one on the screenshot below

alt text

you can do a couple of things:

  1. Click on the source (IP or hostname). It will take you to the investigation dashboard where you can see the successful and failed authentications charts. Click on an element of a chart to get to the raw events.
  2. Modify the tstats search string to something that does not use tstats:

    tag=authentication
    | stats count by action, src
    | chart last(count) over src by action
    | where success>0 and failure>20

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...