Disclaimer: I know the search below is ugly, its based on several examples including the exploring splunk book. I was trying to get an example from splunk .conf working http://www.mensk.com/detecting-bank-accounts-takeover-fraud-cyberattacks-with-splunk-part3-the-advan... but failed miserably.
Desired Results:
I have scenario 1 working (below) it is just really expensive. Even if I can just improve performance on that, it would be a big help.
The search below works, however I need to compare this results against 2 other searches (
Compare Returned IPs against IPs used by different groups last 30 days:
index=pssql sourcetype=logins IPAddress=(questionable_IP) | eval iDate=strftime(_time, "%m/%d/%Y")
| stats values(Group_Name) values(User_Name) values(iDate) by IPAddress
Compare returned Account Number against Account Numbers used last 30 days by different groups:
index=pssql sourcetype=UserActivity Account_Number=(questionable_account)
Working search:
index=pssql sourcetype=UserActivity Message="Admin Function*" earliest=-2d latest=now
| eval iDate=strftime(_time, "%m/%d/%Y %H:%M:%S")
| stats values(IPAddress) as lastIP values(Message) as iMessage values(iDate) as iDate
values(Account_Number) as Account_Number values(Routing_Number) as Routing_Number by Group_Name
| sort lastIP
| append [ search
index=pssql sourcetype=logins earliest=-30d latest=-2d
| eval aDate=strftime(_time, "%m/%d/%Y")
| eval dateIP=IPAddress." - ".aDate
| stats values(IPAddress) as PreviousIPs values(User_Name) as User_Name
dc(IPAddress) as ipCount values(dateIP) as dateIP by Group_Name
| where ipCount>1
| fields PreviousIPs,User_Name,ipCount,PrevTime,Group_Name,_time,dateIP
]
| stats values(lastIP) as lastIP dc(lastIP) as lastIPCount values(User_Name) as User_Name
values(dateIP) as dateIP values(iMessage) as iMessage
values(PreviousIPs) as PreviousIPs dc(PreviousIPs) as prevIPCount values(Account_Number) as Account_Number
values(iDate) as iDate values(Routing_Number) as Routing_Number by Group_Name
| where lastIPCount>0 AND prevIPCount>0
| sort lastIP
| eval Match=if(lastIP!=PreviousIPs,"NO","YES")
| where Match="NO"
| table Group_Name, User_Name, iDate, lastIP, dateIP, Routing_Number, Account_Number
See if you get any ideas from this previous post by @MuS
See if you get any ideas from this previous post by @MuS
I have read that multiple times, honestly I get lost how to apply that to my specific use case. Any hints?
Here is a skeleton of how, I think this could work without subsearches. NOt sure I understand the 3 scenario, so this is only for 1&2. This is to only get you started...
index=pssql (sourcetype=UserActivity Message="Admin Function*") OR sourcetype=logins earliest=-30d latest=-2d | eventstats earliest(_time) as previous latest(_time) as current by group_name ip | eval seenbefore=if(current<=relative_time(now(), "-2d@d"), "yes", "no") | eventstats values(eval(if(seenbefore="no", group_name", null())) as groupsusingip by ip
I think this should give you, for each event, if it was seenbefore, if not, groups using the ip. Hopefully, I'm not waay off base 🙂
Thank you, that makes sense.