Solved: Is my search correctly using the bucket command in...

jacqu3sy · ‎02-17-2017

I have the following search and I'm not certain it's producing the correct results. The idea is to use it to detect brute force attempts whereby 1 source device attempts to connect to multiple destinations over a 1 second period making use of the Authentication datamodel, specifically for failed logins.

Current search looks as follows;

| tstats `summariesonly` count from datamodel=Authentication where nodename=Authentication.Failed_Authentication  Authentication.app!="win:unknown" by "Authentication.src","Authentication.dest" | rename "Authentication.src" as "Source_Device" | bucket _time span=1s | stats dc("Authentication.dest") as Destination_Device by Source_Device | where Destination_Device > 20

But I'm not certain it's producing results of failed connections over a period of time, say 30 days, or the results were all failed login attempts carried out over a 1 second period as per the use of the bucket _time span=1s statement. The idea is to make the search into an alert to detect brute force attacks against multiple destinations.

Any thoughts?

Many thanks in advance!

somesoni2 · ‎02-17-2017

Try like this

Updated

| tstats summariesonly values("Authentication.dest") as Destination_Device from datamodel=Authentication where nodename=Authentication.Failed_Authentication Authentication.app!="win:unknown" by "Authentication.src" _time span=1s| rename "Authentication.src" as "Source_Device"  | where Destination_Device > 20

View solution in original post

somesoni2 · ‎02-17-2017

Try like this

Updated

| tstats summariesonly values("Authentication.dest") as Destination_Device from datamodel=Authentication where nodename=Authentication.Failed_Authentication Authentication.app!="win:unknown" by "Authentication.src" _time span=1s| rename "Authentication.src" as "Source_Device"  | where Destination_Device > 20

jacqu3sy · ‎02-17-2017

so ditch the 'bucket' altogether?

somesoni2 · ‎02-17-2017

The bucketing is happening as part of tstats command itself (include _time in the by clause and a span at the end of the tstats).

jacqu3sy · ‎02-17-2017

Ok that makes sense, slightly confused though, is Dal's ...by Source_Device needed as well? And would this go in an additional | stats search?

Sorry, new to Splunk. Slowly getting there.

somesoni2 · ‎02-17-2017

In general, you fetch required events in base search (anything before first pipe) and then you aggregate the results using stats/timechart or any other similar command. Whereas, tstats is a special command which let you do both, fetching and aggregation, in the same command itself. Since you were doing a simple stats, with bucketing based on _time, I was able to bundle that as single tstats command. I would check the results (without where clause) first and then add more aggragation, if required.

jacqu3sy · ‎02-17-2017

Awesome. Thanks for your help.

DalJeanis · ‎02-17-2017

Don't you need

...by Source_Device _time ...

in the final stats command?

somesoni2 · ‎02-17-2017

Thanks Dal. Yes I do. In fact that gave me an idea to avoid the send stats all together.

jpolcari · ‎02-17-2017

Have you looked at the events to confirm you have some instances where there were 20 attempts to different machines from the same source host within the same second?

Is my search correctly using the bucket command in order to detect brute force attempts against multiple destinations?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?