Splunk Enterprise Security
Highlighted

Reverse engineering an enterprise security correlation search

Path Finder

I am doing a deep dive to understand the internals of a correlation search within ES so that I can justify creating new correlated searches with adjusted thresholds and/or explicit asset exceptions.

The correlated search I'm reviewing is "Access - Brute Force Access Behavior Detected - Rule."

In effort to attribute the authentication failures to systems with a src and a dst so that I can present the data to sysadmins for investigation and resolution of possible misconfiguration, I wanted to better understand the correlated search:

| from datamodel:"Authentication"."Authentication" | stats values(tag) as tag,values(app) as app,count(eval('action'=="failure")) as failure,count(eval('action'=="success")) as success by src | search success>0 | xswhere failure from failures_by_src_count_1h in authentication is above medium

I have an understanding of most of the search, but the parameters of xswhere are throwing me off. If I understand the documentation well enough, I see the entities:

  • hedge
  • concept
  • context
  • container

However, I do not understand where they are defined.

Very tangibly, in this example... where can I locate the definitions of: failure, failures_by_src_count_1h, authentication, above, medium.

Are these contained within the data model?

As an aside (as in not for me to understand conceptually and specifically what's going on), what is best practice for tweaking correlated searches in ES? I wanted to use this canned correlated search as a template, and clone it to two additional correlated searches with different thresholds and different in-scope assets (by excluding assets in a lookup table).

Thanks,

Matt

0 Karma
Highlighted

Re: Reverse engineering an enterprise security correlation search

SplunkTrust
SplunkTrust

xswhere is one of the Extreme Search commands, which are not well documented.

failures is any field, in this case one produced by stats
failuresbysrccount1h is the context in which to evaluate failures. It's created by the "Access - Authentication Failures By Source - Context Gen" saved search.
authentication is the data model being used
above medium is the filter for failures. Values higher than "medium" (intentionally fuzzy) will be displayed

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

Highlighted

Re: Reverse engineering an enterprise security correlation search

Path Finder

It's worth noting, the splunk tech writers live in my/our head(s)...

See the documentation topic Extreme search example in Splunk Enterprise Security.

I'll spend more time reading through that, other than on my commute today, and it will provide thorough understanding.

0 Karma
Highlighted

Re: Reverse engineering an enterprise security correlation search

SplunkTrust
SplunkTrust
0 Karma