- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- Reverse engineering an enterprise security correla...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am doing a deep dive to understand the internals of a correlation search within ES so that I can justify creating new correlated searches with adjusted thresholds and/or explicit asset exceptions.
The correlated search I'm reviewing is "Access - Brute Force Access Behavior Detected - Rule."
In effort to attribute the authentication failures to systems with a src and a dst so that I can present the data to sysadmins for investigation and resolution of possible misconfiguration, I wanted to better understand the correlated search:
| from datamodel:"Authentication"."Authentication" | stats values(tag) as tag,values(app) as app,count(eval('action'=="failure")) as failure,count(eval('action'=="success")) as success by src | search success>0 | xswhere failure from failures_by_src_count_1h in authentication is above medium
I have an understanding of most of the search, but the parameters of xswhere are throwing me off. If I understand the documentation well enough, I see the entities:
- hedge
- concept
- context
- container
However, I do not understand where they are defined.
Very tangibly, in this example... where can I locate the definitions of: failure, failures_by_src_count_1h, authentication, above, medium.
Are these contained within the data model?
As an aside (as in not for me to understand conceptually and specifically what's going on), what is best practice for tweaking correlated searches in ES? I wanted to use this canned correlated search as a template, and clone it to two additional correlated searches with different thresholds and different in-scope assets (by excluding assets in a lookup table).
Thanks,
Matt
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
xswhere is one of the Extreme Search commands, which are not well documented.
failures is any field, in this case one produced by stats
failures_by_src_count_1h is the context in which to evaluate failures. It's created by the "Access - Authentication Failures By Source - Context Gen" saved search.
authentication is the data model being used
above medium is the filter for failures. Values higher than "medium" (intentionally fuzzy) will be displayed
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's worth noting, the splunk tech writers live in my/our head(s)...
See the documentation topic Extreme search example in Splunk Enterprise Security.
I'll spend more time reading through that, other than on my commute today, and it will provide thorough understanding.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
xswhere is one of the Extreme Search commands, which are not well documented.
failures is any field, in this case one produced by stats
failures_by_src_count_1h is the context in which to evaluate failures. It's created by the "Access - Authentication Failures By Source - Context Gen" saved search.
authentication is the data model being used
above medium is the filter for failures. Values higher than "medium" (intentionally fuzzy) will be displayed
If this reply helps you, Karma would be appreciated.
New Case Study Shows the Value of Partnering with Splunk Academic Alliance
How to Monitor Google Kubernetes Engine (GKE)
Index This | How can you make 45 using only 4?
