Security

Need help making a swimlane for All Privileged Authentication Attempts

Path Finder

I'm trying to make a Swimlane search to use the Authentication Datamodel, and the Privileged Authentication Dataset, and only return users entered into the identity investigator.

This is what I have so far. Thanks!

| tstats summariesonly values(Authentication.action) as action,values(Authentication.app) as app,values(Authentication.src) as src,values(Authentication.dest) as dest,values(Authentication.user) as user,count from datamodel=Authentication.Authentication where $constraints$ by _time span=$span$

0 Karma
1 Solution

Path Finder

Got it to work, I just had to turn off acceleration since we were filtering with WHERE, and search filters can not be applied to accelerated datamodels! Thanks for the help. Below is the finale SPL.

| tstats summariesonly values(Authentication.action) as action,values(Authentication.app) as app,values(Authentication.src) as src,values(Authentication.dest) as dest,values(Authentication.user) as user,values(Authentication.tag) as tag,count from datamodel=Authentication where nodename = Authentication.Privileged_Authentication $constraints$ by _time span=$span$

View solution in original post

0 Karma

Path Finder

Got it to work, I just had to turn off acceleration since we were filtering with WHERE, and search filters can not be applied to accelerated datamodels! Thanks for the help. Below is the finale SPL.

| tstats summariesonly values(Authentication.action) as action,values(Authentication.app) as app,values(Authentication.src) as src,values(Authentication.dest) as dest,values(Authentication.user) as user,values(Authentication.tag) as tag,count from datamodel=Authentication where nodename = Authentication.Privileged_Authentication $constraints$ by _time span=$span$

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Which app are you using ? Are you on https://splunkbase.splunk.com/app/3708/ ?

0 Karma

Path Finder

This search pulls all Authentication attempts from the Authentication datamodel,

| tstats summariesonly values(Authentication.action) as action,values(Authentication.app) as app,values(Authentication.src) as src,values(Authentication.dest) as dest,values(Authentication.user) as user,count from datamodel=Authentication.Authentication where $constraints$ by _time span=$span$

I just need this search refined to only pull Privileged Authentication Attempts, from the Privileged_Authentication dataset from the authentication datamodel but just changing datamodel=Authentication.Authentication to datamodel=Authentication.Privileged_Authentication doesn't work, because I get the error Error in 'DataModelCache': Invalid or unaccelerable root object for datamodel

The $constraints$ should be the same because the dataset Inherits the datamodel constraints. Or atleast that's how I understand it...

0 Karma

SplunkTrust
SplunkTrust

Are you using this in the $contraints$ variable : (nodename = Authentication.Privileged_Authentication) ?

Your search should look like this :

... datamodel=Authentication where (nodename = Authentication.Privileged_Authentication) ...
0 Karma

Path Finder

Yeah we tried this

| tstats summariesonly values(Authentication.action) as action,values(Authentication.app) as app,values(Authentication.src) as src,values(Authentication.dest) as dest,values(Authentication.user) as user,values(Authentication.tag) as tag,count from datamodel=Authentication where (nodename = Authentication.Privileged_Authentication $constraints$ by _time span=$span$)

It "Works" as in when you search for it via search it will return results, but it still wont return any swimlane results...

Does swimlane have to be tstats?

0 Karma

Path Finder
0 Karma