Splunk Enterprise Security

Reverse engineering an enterprise security correlation search

mbrownoutside
Path Finder

I am doing a deep dive to understand the internals of a correlation search within ES so that I can justify creating new correlated searches with adjusted thresholds and/or explicit asset exceptions.

The correlated search I'm reviewing is "Access - Brute Force Access Behavior Detected - Rule."

In effort to attribute the authentication failures to systems with a src and a dst so that I can present the data to sysadmins for investigation and resolution of possible misconfiguration, I wanted to better understand the correlated search:

| from datamodel:"Authentication"."Authentication" | stats values(tag) as tag,values(app) as app,count(eval('action'=="failure")) as failure,count(eval('action'=="success")) as success by src | search success>0 | xswhere failure from failures_by_src_count_1h in authentication is above medium

I have an understanding of most of the search, but the parameters of xswhere are throwing me off. If I understand the documentation well enough, I see the entities:

  • hedge
  • concept
  • context
  • container

However, I do not understand where they are defined.

Very tangibly, in this example... where can I locate the definitions of: failure, failures_by_src_count_1h, authentication, above, medium.

Are these contained within the data model?

As an aside (as in not for me to understand conceptually and specifically what's going on), what is best practice for tweaking correlated searches in ES? I wanted to use this canned correlated search as a template, and clone it to two additional correlated searches with different thresholds and different in-scope assets (by excluding assets in a lookup table).

Thanks,

Matt

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

xswhere is one of the Extreme Search commands, which are not well documented.

failures is any field, in this case one produced by stats
failures_by_src_count_1h is the context in which to evaluate failures. It's created by the "Access - Authentication Failures By Source - Context Gen" saved search.
authentication is the data model being used
above medium is the filter for failures. Values higher than "medium" (intentionally fuzzy) will be displayed

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

mbrownoutside
Path Finder

It's worth noting, the splunk tech writers live in my/our head(s)...

See the documentation topic Extreme search example in Splunk Enterprise Security.

I'll spend more time reading through that, other than on my commute today, and it will provide thorough understanding.

0 Karma

starcher
SplunkTrust
SplunkTrust
0 Karma

richgalloway
SplunkTrust
SplunkTrust

xswhere is one of the Extreme Search commands, which are not well documented.

failures is any field, in this case one produced by stats
failures_by_src_count_1h is the context in which to evaluate failures. It's created by the "Access - Authentication Failures By Source - Context Gen" saved search.
authentication is the data model being used
above medium is the filter for failures. Values higher than "medium" (intentionally fuzzy) will be displayed

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!