Hello Splunkers,
I have the InfoSec for Splunk App (https://splunkbase.splunk.com/app/4240/#/overview) installed and working. I'm getting data into it and it is using that data. My issue is that when I go to an alert (any alert) it will show me the stats but not any of the actual events. (Yes it is in verbose mode) The events tab shows X number of events but when I click the events tab it says "no results". I think (please correct me if I'm wrong) this is normal behavior if using the tstats command, so how can I look at the actual events the search is finding?
I don't have enough karma points to add screenshots but this is the search the alert is using.
| tstats summariesonly=t allow_old_summaries=t count from datamodel=Authentication by Authentication.action, Authentication.src
| rename Authentication.src as source, Authentication.action as action
| chart last(count) over source by action
| where success>0 and failure>20
| sort -failure
| rename failure as failures
| fields - success, unknown
For my data this returns 2 IPs and the number of failures for each. I think that these are false positives (some app, utility, script, etc. with an old password) but need to see the actual events to be certain.
Thanks for taking the time to read this.
System details
Stand-alone Splunk Enterprise 7.3
InfoSec app version 1.4
CIM version 4.11
Hello @eliasit, you are correct - tstats will not show you raw events. That's by design as tstats in this case uses an accelerated data model and does not touch raw events. That lets you report on millions or billions events in seconds.
If you are after drilling down into the details of the Brute Force Attack report like the one on the screenshot below
you can do a couple of things:
Modify the tstats search string to something that does not use tstats:
tag=authentication
| stats count by action, src
| chart last(count) over src by action
| where success>0 and failure>20
Hello @eliasit, you are correct - tstats will not show you raw events. That's by design as tstats in this case uses an accelerated data model and does not touch raw events. That lets you report on millions or billions events in seconds.
If you are after drilling down into the details of the Brute Force Attack report like the one on the screenshot below
you can do a couple of things:
Modify the tstats search string to something that does not use tstats:
tag=authentication
| stats count by action, src
| chart last(count) over src by action
| where success>0 and failure>20