Splunk Enterprise Security

A bit stuck with syntax while working with an ES search

mbrownoutside
Path Finder

Hello,

I found two cases where the ES correlated search "Brute Force Access Behavior Detected" is "invalid" for our purposes. They are both indicators that an AD account is locked out or disabled and are as follows:

Event Code = 4768
AND
krb tgt request result code = 0x12 or 0x6

Now, I'm having some trouble with syntax for this (note that the datamodel expanded while I was working, and the changes I've made are reflected below the search:

(index=* OR index=_*) ((()) tag=authentication NOT (action=success user=*$)) DIRECTIVES(READ_SUMMARY(datamodel="Authentication.Authentication" summariesonly="false" allow_old_summaries="false")) 
| eval action=if(isnull(action) OR action="","unknown",action), app=if(isnull(app) OR app="",sourcetype,app), src=if(isnull(src) OR src="","unknown",src), src_user=if(isnull(src_user) OR src_user="","unknown",src_user), dest=if(isnull(dest) OR dest="","unknown",dest), user=if(isnull(user) OR user="","unknown",user) 
| search action=failure 
| eval is_Failed_Authentication=if(searchmatch("(action=\"failure\")"),1,0), is_not_Failed_Authentication=1-is_Failed_Authentication, is_Successful_Authentication=if(searchmatch("(action=\"success\")"),1,0), is_not_Successful_Authentication=1-is_Successful_Authentication, is_Default_Authentication=if(searchmatch("(tag=\"default\")"),1,0), is_not_Default_Authentication=1-is_Default_Authentication, is_Insecure_Authentication=if(searchmatch("(tag=\"insecure\" OR tag=\"cleartext\")"),1,0), is_not_Insecure_Authentication=1-is_Insecure_Authentication, is_Privileged_Authentication=if(searchmatch("(tag=\"privileged\")"),1,0), is_not_Privileged_Authentication=1-is_Privileged_Authentication 
| fields "_time" "host" "source" "sourcetype" "dest_bunit" "dest_category" "dest_nt_domain" "dest_priority" "duration" "response_time" "signature" "signature_id" "src_bunit" "src_category" "src_nt_domain" "src_priority" "src_user_bunit" "src_user_category" "src_user_priority" "tag" "user_bunit" "user_category" "user_priority" "action" "app" "src" "src_user" "dest" "user" "is_Failed_Authentication" "is_not_Failed_Authentication" "is_Successful_Authentication" "is_not_Successful_Authentication" "is_Default_Authentication" "is_not_Default_Authentication" "is_Insecure_Authentication" "is_not_Insecure_Authentication" "is_Privileged_Authentication" "is_not_Privileged_Authentication" 
| search signature_id!=4768 
| rex "Result Code:\s*(?<krb_tgt_request_result_code>.*)" 
| search krb_tgt_request_result_code!=0x12 krb_tgt_request_result_code!=0x6 
| eval DoW_Hour_Min = strftime(_time,"%A_%H_%M") 
| stats count by DoW_Hour_Min, app, src, dest, action, user, signature_id, krb_tgt_request_result_code 
| sort -count

changes are:

  • | search action=failure
  • | search signature_id!=4768
  • | rex "Result Code:\s*(?.*)"
  • | search krb_tgt_request_result_code!=0x12 krb_tgt_request_result_code!=0x6
  • | eval DoW_Hour_Min = strftime(time,"%A%H_%M")
  • | stats count by DoW_Hour_Min, app, src, dest, action, user, signature_id, krb_tgt_request_result_code
  • | sort -count

So, my problem is... the rex is only valid for events with signature_id=4768. But I want to exclude explicitly those events.

I guess the question is two fold:
1) do I care about the efficiency of the rex, insomuch that I only want it to exercise against signature_id=4768? How do I do that?
2) I really only care about dealing with signature_id=4768 with krb_Tgt_request_result_code is: 0x12 or 0x6. How do I do that?

Will it work if I do a single rex with two named capture groups, and then I can run a subsequent search for my inverse cases?

Thanks,

Matt

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...