Splunk Enterprise Security

A bit stuck with syntax while working with an ES search

Path Finder


I found two cases where the ES correlated search "Brute Force Access Behavior Detected" is "invalid" for our purposes. They are both indicators that an AD account is locked out or disabled and are as follows:

Event Code = 4768
krb tgt request result code = 0x12 or 0x6

Now, I'm having some trouble with syntax for this (note that the datamodel expanded while I was working, and the changes I've made are reflected below the search:

(index=* OR index=_*) ((()) tag=authentication NOT (action=success user=*$)) DIRECTIVES(READ_SUMMARY(datamodel="Authentication.Authentication" summariesonly="false" allow_old_summaries="false")) 
| eval action=if(isnull(action) OR action="","unknown",action), app=if(isnull(app) OR app="",sourcetype,app), src=if(isnull(src) OR src="","unknown",src), src_user=if(isnull(src_user) OR src_user="","unknown",src_user), dest=if(isnull(dest) OR dest="","unknown",dest), user=if(isnull(user) OR user="","unknown",user) 
| search action=failure 
| eval is_Failed_Authentication=if(searchmatch("(action=\"failure\")"),1,0), is_not_Failed_Authentication=1-is_Failed_Authentication, is_Successful_Authentication=if(searchmatch("(action=\"success\")"),1,0), is_not_Successful_Authentication=1-is_Successful_Authentication, is_Default_Authentication=if(searchmatch("(tag=\"default\")"),1,0), is_not_Default_Authentication=1-is_Default_Authentication, is_Insecure_Authentication=if(searchmatch("(tag=\"insecure\" OR tag=\"cleartext\")"),1,0), is_not_Insecure_Authentication=1-is_Insecure_Authentication, is_Privileged_Authentication=if(searchmatch("(tag=\"privileged\")"),1,0), is_not_Privileged_Authentication=1-is_Privileged_Authentication 
| fields "_time" "host" "source" "sourcetype" "dest_bunit" "dest_category" "dest_nt_domain" "dest_priority" "duration" "response_time" "signature" "signature_id" "src_bunit" "src_category" "src_nt_domain" "src_priority" "src_user_bunit" "src_user_category" "src_user_priority" "tag" "user_bunit" "user_category" "user_priority" "action" "app" "src" "src_user" "dest" "user" "is_Failed_Authentication" "is_not_Failed_Authentication" "is_Successful_Authentication" "is_not_Successful_Authentication" "is_Default_Authentication" "is_not_Default_Authentication" "is_Insecure_Authentication" "is_not_Insecure_Authentication" "is_Privileged_Authentication" "is_not_Privileged_Authentication" 
| search signature_id!=4768 
| rex "Result Code:\s*(?<krb_tgt_request_result_code>.*)" 
| search krb_tgt_request_result_code!=0x12 krb_tgt_request_result_code!=0x6 
| eval DoW_Hour_Min = strftime(_time,"%A_%H_%M") 
| stats count by DoW_Hour_Min, app, src, dest, action, user, signature_id, krb_tgt_request_result_code 
| sort -count

changes are:

  • | search action=failure
  • | search signature_id!=4768
  • | rex "Result Code:\s(?.)"
  • | search krbtgtrequestresultcode!=0x12 krbtgtrequestresultcode!=0x6
  • | eval DoWHourMin = strftime(time,"%A%H_%M")
  • | stats count by DoWHourMin, app, src, dest, action, user, signatureid, krbtgtrequestresult_code
  • | sort -count

So, my problem is... the rex is only valid for events with signature_id=4768. But I want to exclude explicitly those events.

I guess the question is two fold:
1) do I care about the efficiency of the rex, insomuch that I only want it to exercise against signatureid=4768? How do I do that?
2) I really only care about dealing with signature
id=4768 with krbTgtrequestresultcode is: 0x12 or 0x6. How do I do that?

Will it work if I do a single rex with two named capture groups, and then I can run a subsequent search for my inverse cases?



0 Karma