Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Separating Kerberos Events in Datamodel.Authentication

richardphung
Communicator
‎01-15-2019 11:14 AM

Greetings--

Kerberos will attempt to impersonate a user by requesting tickets from the Domain Controllers on any domain joined computers OR if a user is logging into a .NET web service, this generates a LOT of noise and triggers our Brute Force, Excessive Login, and Geographically Improbable Access notables.
The goal is to clean-up and/or suppress Notable Events within Enterprise Security that are related to Kerberos.

Looking at:

 |from datamodel:"Authentication"."Authentication" | search kerberos

We see that each kerberos logon process contains 3 event codes AS signature_id:
4624

4769

4768

For the latter two,

4769:--
TaskCategory=Kerberos Service Ticket Operations

4768:--
TaskCategory=Kerberos Authentication Service

I can modify the Correlation Searches to filter event 4768 or 4769 as they relate exclusively to Kerberos.
e.g.

| `tstats` min(_time),earliest(Authentication.app) from datamodel=Authentication.Authentication where Authentication.action="success" AND Authentication.signature_id!="4768" AND Authentication.signature_id!="4768"  by Authentication.src,Authentication.user [...and so forth...]

The issue:
Events 4624 are generated for ANY logon event, kerberos or otherwise.
Looking at a RAW event, I see that 4624: contains a field: Logon Process: Kerberos:

Detailed Authentication Information:
    Logon Process:      Kerberos
    Authentication Package: Kerberos
    Transited Services:
    Package Name (NTLM only):
    Key Length:     0

This is properly extracted on index="wineventlog:security" but does not seem to be so when we do a search against the datamodel (which is primarily CIM fields).

Question:
How else can I isolate these events and use them in Correlation Searches?

0 Karma
Reply

lakshman239
Influencer
‎01-16-2019 06:57 AM

If you don't need Logon Process: Kerberos events, you can filter them in the universal forwarder on the windows server using blacklist to filter 4624 with kerberos.

On the other hand, if you do not want to filter them (as they may be required for forensics/analysis of auth processes during incident), you can define a custom field in the Authentication datamodel and map logon process which can be used to filter in your tstats search .

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...