Splunk Enterprise Security

A bit stuck with syntax while working with an ES search

Path Finder


I found two cases where the ES correlated search "Brute Force Access Behavior Detected" is "invalid" for our purposes. They are both indicators that an AD account is locked out or disabled and are as follows:

Event Code = 4768
krb tgt request result code = 0x12 or 0x6

Now, I'm having some trouble with syntax for this (note that the datamodel expanded while I was working, and the changes I've made are reflected below the search:

(index=* OR index=_*) ((()) tag=authentication NOT (action=success user=*$)) DIRECTIVES(READ_SUMMARY(datamodel="Authentication.Authentication" summariesonly="false" allow_old_summaries="false")) 
| eval action=if(isnull(action) OR action="","unknown",action), app=if(isnull(app) OR app="",sourcetype,app), src=if(isnull(src) OR src="","unknown",src), src_user=if(isnull(src_user) OR src_user="","unknown",src_user), dest=if(isnull(dest) OR dest="","unknown",dest), user=if(isnull(user) OR user="","unknown",user) 
| search action=failure 
| eval is_Failed_Authentication=if(searchmatch("(action=\"failure\")"),1,0), is_not_Failed_Authentication=1-is_Failed_Authentication, is_Successful_Authentication=if(searchmatch("(action=\"success\")"),1,0), is_not_Successful_Authentication=1-is_Successful_Authentication, is_Default_Authentication=if(searchmatch("(tag=\"default\")"),1,0), is_not_Default_Authentication=1-is_Default_Authentication, is_Insecure_Authentication=if(searchmatch("(tag=\"insecure\" OR tag=\"cleartext\")"),1,0), is_not_Insecure_Authentication=1-is_Insecure_Authentication, is_Privileged_Authentication=if(searchmatch("(tag=\"privileged\")"),1,0), is_not_Privileged_Authentication=1-is_Privileged_Authentication 
| fields "_time" "host" "source" "sourcetype" "dest_bunit" "dest_category" "dest_nt_domain" "dest_priority" "duration" "response_time" "signature" "signature_id" "src_bunit" "src_category" "src_nt_domain" "src_priority" "src_user_bunit" "src_user_category" "src_user_priority" "tag" "user_bunit" "user_category" "user_priority" "action" "app" "src" "src_user" "dest" "user" "is_Failed_Authentication" "is_not_Failed_Authentication" "is_Successful_Authentication" "is_not_Successful_Authentication" "is_Default_Authentication" "is_not_Default_Authentication" "is_Insecure_Authentication" "is_not_Insecure_Authentication" "is_Privileged_Authentication" "is_not_Privileged_Authentication" 
| search signature_id!=4768 
| rex "Result Code:\s*(?<krb_tgt_request_result_code>.*)" 
| search krb_tgt_request_result_code!=0x12 krb_tgt_request_result_code!=0x6 
| eval DoW_Hour_Min = strftime(_time,"%A_%H_%M") 
| stats count by DoW_Hour_Min, app, src, dest, action, user, signature_id, krb_tgt_request_result_code 
| sort -count

changes are:

  • | search action=failure
  • | search signature_id!=4768
  • | rex "Result Code:\s*(?.*)"
  • | search krb_tgt_request_result_code!=0x12 krb_tgt_request_result_code!=0x6
  • | eval DoW_Hour_Min = strftime(time,"%A%H_%M")
  • | stats count by DoW_Hour_Min, app, src, dest, action, user, signature_id, krb_tgt_request_result_code
  • | sort -count

So, my problem is... the rex is only valid for events with signature_id=4768. But I want to exclude explicitly those events.

I guess the question is two fold:
1) do I care about the efficiency of the rex, insomuch that I only want it to exercise against signature_id=4768? How do I do that?
2) I really only care about dealing with signature_id=4768 with krb_Tgt_request_result_code is: 0x12 or 0x6. How do I do that?

Will it work if I do a single rex with two named capture groups, and then I can run a subsequent search for my inverse cases?



0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...