Are you a member of the Splunk Community?
- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- "Concurrent Login Attempts Detected" CS results ha...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We're getting false positives on the correlated search, "Concurrent Login Attempts Detected", because the previous_src and the src are the hostname and IP of the same system.
In ES if I use Investigate Asset Artifacts and enter the hostname, the IP is returned, and vice versa. To me that means the asset lookups are functioning properly, right?
Anyone know how to correct for this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I opened a case with Splunk support & they said this an expected behavior, it either needs more work or there is something specific that's causing hundreds of these alerts per day. To reduce the noise I've eliminated all Domain Controller IPs & Hostnames. Next I added multiple looks for the IPs, this is done based on both src & previous_src:
| lookup dnslookup clientip as src OUTPUT clienthost as src_fqdn
| lookup dnslookup clientip as previous_src OUTPUT clienthost as previous_src_fqdn
I then remove any matches between src_fqdn & previous_src_fqdn:
| where (src_fqdn!=previous_src_fqdn)
I needed to remove the Fully Qualified Domain Name (FQDN) to match possible src/previous_src:
| rex field=src_fqdn "(?<src_host>^([^.]+))"
| rex field=previous_src_fqdn "(?<previous_src_host>^([^.]+))"
Then I added multiple where clauses to eliminate duplicates:
| where (src_host!=src) AND (src_host!=previous_src) AND (previous_src_host!=src) AND (previous_src_host!=previous_src)
While all of this has reduced the noise from thousands of alerts per day to hundreds, it unfortunately has added a lot of overhead. If anyone has any suggestions to speed this up, I would appreciate any assistance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I opened a case with Splunk support & they said this an expected behavior, it either needs more work or there is something specific that's causing hundreds of these alerts per day. To reduce the noise I've eliminated all Domain Controller IPs & Hostnames. Next I added multiple looks for the IPs, this is done based on both src & previous_src:
| lookup dnslookup clientip as src OUTPUT clienthost as src_fqdn
| lookup dnslookup clientip as previous_src OUTPUT clienthost as previous_src_fqdn
I then remove any matches between src_fqdn & previous_src_fqdn:
| where (src_fqdn!=previous_src_fqdn)
I needed to remove the Fully Qualified Domain Name (FQDN) to match possible src/previous_src:
| rex field=src_fqdn "(?<src_host>^([^.]+))"
| rex field=previous_src_fqdn "(?<previous_src_host>^([^.]+))"
Then I added multiple where clauses to eliminate duplicates:
| where (src_host!=src) AND (src_host!=previous_src) AND (previous_src_host!=src) AND (previous_src_host!=previous_src)
While all of this has reduced the noise from thousands of alerts per day to hundreds, it unfortunately has added a lot of overhead. If anyone has any suggestions to speed this up, I would appreciate any assistance.
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
