We are trying to modify the existing query in the "Remote Desktop Network Bruteforce" correlation search present in the Splunk ES use cases to exclude events with the same session_id.
The original query is:
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app=rdp by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | eventstats stdev(count) AS stdev avg(count) AS avg p50(count) AS p50 | where count>(avg + stdev*2) | rename All_Traffic.src AS src All_Traffic.dest AS dest | table firstTime lastTime src dest count avg p50 stdev | `remote_desktop_network_bruteforce_filter`
We have tried using the "dedup" command and the "distinct_count" function of stats command without success.
Thanks in advance,
After including the "session_id" field within the tstats command, in the BY clause to extract it, we have observed that some results are excluded where there are several different values in the session_id field.
Note that "session_id" is not an eval field in the Network Traffic data model, meaning that it could be null for some entries. If you add session_id to the by clause, these entries would be dismissed. If this is the case, you can either use the "fillnull_value" argument on the tstats command, or instead of adding session_id after the by clause, add it as a values function.
| tstats summariesonly=t count values(All_Traffic.session_id) as session_id min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic by All_Traffic.src All_Traffic.dest All_Traffic.dest_port
The tstats command does not provide the session_id field so you won't be able to filter on it. You'll have to modify the query so tstats returns session_id then you can include the field in your `remote_desktop_network_bruteforce_filter` macro.