Splunk Enterprise Security

A bit stuck with syntax while working with an ES search

Path Finder


I found two cases where the ES correlated search "Brute Force Access Behavior Detected" is "invalid" for our purposes. They are both indicators that an AD account is locked out or disabled and are as follows:

Event Code = 4768
krb tgt request result code = 0x12 or 0x6

Now, I'm having some trouble with syntax for this (note that the datamodel expanded while I was working, and the changes I've made are reflected below the search:

(index=* OR index=_*) ((()) tag=authentication NOT (action=success user=*$)) DIRECTIVES(READ_SUMMARY(datamodel="Authentication.Authentication" summariesonly="false" allow_old_summaries="false")) 
| eval action=if(isnull(action) OR action="","unknown",action), app=if(isnull(app) OR app="",sourcetype,app), src=if(isnull(src) OR src="","unknown",src), src_user=if(isnull(src_user) OR src_user="","unknown",src_user), dest=if(isnull(dest) OR dest="","unknown",dest), user=if(isnull(user) OR user="","unknown",user) 
| search action=failure 
| eval is_Failed_Authentication=if(searchmatch("(action=\"failure\")"),1,0), is_not_Failed_Authentication=1-is_Failed_Authentication, is_Successful_Authentication=if(searchmatch("(action=\"success\")"),1,0), is_not_Successful_Authentication=1-is_Successful_Authentication, is_Default_Authentication=if(searchmatch("(tag=\"default\")"),1,0), is_not_Default_Authentication=1-is_Default_Authentication, is_Insecure_Authentication=if(searchmatch("(tag=\"insecure\" OR tag=\"cleartext\")"),1,0), is_not_Insecure_Authentication=1-is_Insecure_Authentication, is_Privileged_Authentication=if(searchmatch("(tag=\"privileged\")"),1,0), is_not_Privileged_Authentication=1-is_Privileged_Authentication 
| fields "_time" "host" "source" "sourcetype" "dest_bunit" "dest_category" "dest_nt_domain" "dest_priority" "duration" "response_time" "signature" "signature_id" "src_bunit" "src_category" "src_nt_domain" "src_priority" "src_user_bunit" "src_user_category" "src_user_priority" "tag" "user_bunit" "user_category" "user_priority" "action" "app" "src" "src_user" "dest" "user" "is_Failed_Authentication" "is_not_Failed_Authentication" "is_Successful_Authentication" "is_not_Successful_Authentication" "is_Default_Authentication" "is_not_Default_Authentication" "is_Insecure_Authentication" "is_not_Insecure_Authentication" "is_Privileged_Authentication" "is_not_Privileged_Authentication" 
| search signature_id!=4768 
| rex "Result Code:\s*(?<krb_tgt_request_result_code>.*)" 
| search krb_tgt_request_result_code!=0x12 krb_tgt_request_result_code!=0x6 
| eval DoW_Hour_Min = strftime(_time,"%A_%H_%M") 
| stats count by DoW_Hour_Min, app, src, dest, action, user, signature_id, krb_tgt_request_result_code 
| sort -count

changes are:

  • | search action=failure
  • | search signature_id!=4768
  • | rex "Result Code:\s*(?.*)"
  • | search krb_tgt_request_result_code!=0x12 krb_tgt_request_result_code!=0x6
  • | eval DoW_Hour_Min = strftime(time,"%A%H_%M")
  • | stats count by DoW_Hour_Min, app, src, dest, action, user, signature_id, krb_tgt_request_result_code
  • | sort -count

So, my problem is... the rex is only valid for events with signature_id=4768. But I want to exclude explicitly those events.

I guess the question is two fold:
1) do I care about the efficiency of the rex, insomuch that I only want it to exercise against signature_id=4768? How do I do that?
2) I really only care about dealing with signature_id=4768 with krb_Tgt_request_result_code is: 0x12 or 0x6. How do I do that?

Will it work if I do a single rex with two named capture groups, and then I can run a subsequent search for my inverse cases?



0 Karma
Get Updates on the Splunk Community!

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...