Splunk Enterprise Security

Reverse engineering an enterprise security correlation search

mbrownoutside
Path Finder

I am doing a deep dive to understand the internals of a correlation search within ES so that I can justify creating new correlated searches with adjusted thresholds and/or explicit asset exceptions.

The correlated search I'm reviewing is "Access - Brute Force Access Behavior Detected - Rule."

In effort to attribute the authentication failures to systems with a src and a dst so that I can present the data to sysadmins for investigation and resolution of possible misconfiguration, I wanted to better understand the correlated search:

| from datamodel:"Authentication"."Authentication" | stats values(tag) as tag,values(app) as app,count(eval('action'=="failure")) as failure,count(eval('action'=="success")) as success by src | search success>0 | xswhere failure from failures_by_src_count_1h in authentication is above medium

I have an understanding of most of the search, but the parameters of xswhere are throwing me off. If I understand the documentation well enough, I see the entities:

  • hedge
  • concept
  • context
  • container

However, I do not understand where they are defined.

Very tangibly, in this example... where can I locate the definitions of: failure, failures_by_src_count_1h, authentication, above, medium.

Are these contained within the data model?

As an aside (as in not for me to understand conceptually and specifically what's going on), what is best practice for tweaking correlated searches in ES? I wanted to use this canned correlated search as a template, and clone it to two additional correlated searches with different thresholds and different in-scope assets (by excluding assets in a lookup table).

Thanks,

Matt

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

xswhere is one of the Extreme Search commands, which are not well documented.

failures is any field, in this case one produced by stats
failures_by_src_count_1h is the context in which to evaluate failures. It's created by the "Access - Authentication Failures By Source - Context Gen" saved search.
authentication is the data model being used
above medium is the filter for failures. Values higher than "medium" (intentionally fuzzy) will be displayed

---
If this reply helps you, Karma would be appreciated.

View solution in original post

mbrownoutside
Path Finder

It's worth noting, the splunk tech writers live in my/our head(s)...

See the documentation topic Extreme search example in Splunk Enterprise Security.

I'll spend more time reading through that, other than on my commute today, and it will provide thorough understanding.

0 Karma

starcher
Influencer
0 Karma

richgalloway
SplunkTrust
SplunkTrust

xswhere is one of the Extreme Search commands, which are not well documented.

failures is any field, in this case one produced by stats
failures_by_src_count_1h is the context in which to evaluate failures. It's created by the "Access - Authentication Failures By Source - Context Gen" saved search.
authentication is the data model being used
above medium is the filter for failures. Values higher than "medium" (intentionally fuzzy) will be displayed

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...