Re: Splunk built in rule question - urgent!

havatz · ‎10-20-2020

Hello

I have this Splunk built In rule: " Brute Force Access Behavior Detected Over 1d"

| tstats `summariesonly` values(Authentication.app) as app,count from datamodel=Authentication.Authentication  where earliest=-1d by Authentication.action,Authentication.src,index | `drop_dm_object_name(\"Authentication\")` | eval success=if(action=\"success\",count,0),failure=if(action=\"failure\",count,0) | stats values(app) as app,sum(failure) as failure,sum(success) as success by src,index | where success > 0 | `mltk_apply_upper(\"app:failures_by_src_count_1d\", \"medium\", \"failure\")` | rex field=index \"(?<bu_prefix>[a-zA-Z]+)\" | lookup org_lookup.csv bu_prefix OUTPUTNEW Organization"

1. How can I add to this query indication of which user was used?

2. The query shows app list + number of failures + number of successes, but no correlation of failures/successes to apps, how can I do that?

3. How can I add to the query failure reason?

4. If there is IP address only made several failed login attempts to one user. How can we catch such a scenario?

Thanks!

havatz · ‎10-21-2020

Ok i added the user and signature.

this is the updated query:

"| tstats `summariesonly` values(Authentication.app) as app,count from datamodel=Authentication.Authentication  where earliest=-1d by Authentication.action,Authentication.src,Authentication.signature,Authentication.user,index | `drop_dm_object_name(\"Authentication\")` | eval success=if(action=\"success\",count,0),failure=if(action=\"failure\",count,0) | stats values(app) as app,sum(failure) as failure,sum(success) as success by src,index,signature,user" | where success > 0 | `mltk_apply_upper(\"app:failures_by_src_count_1d\", \"medium\", \"failure\")` | rex field=index \"(?<bu_prefix>[a-zA-Z]+)\" | lookup org_lookup.csv bu_prefix OUTPUTNEW Organization"

Now I need:

1. The query shows app list + number of failures + number of successes, but no correlation of failures/successes to apps, how can I do that?

2. If there is IP address only made several failed login attempts to one user. How can we catch such a scenario?

3. if you see here https://docs.splunk.com/Documentation/CIM/4.17.0/User/Authentication I can change the "src" to "src_ip" or "src_host" but when Im trying to add "Authentication.src_ip" or "Authentication.src_host" its not working as alias only Authentication_src. what to do?

havatz · ‎10-20-2020

Hi @inventsekar

cant see user field there

"results": [
{
"Organization": "BuildASign",
"bu_prefix": "bas"
},
{
"Organization": "Cimpress China",
"bu_prefix": "cmprcn"
},
{
"Organization": "Cimpress Technology",
"bu_prefix": "cmpr"
},
{
"Organization": "Druck",
"bu_prefix": "drk"
},
{
"Organization": "Easyflyer",
"bu_prefix": "efly"
},
{
"Organization": "Exagroup",
"bu_prefix": "exa"
},
{
"Organization": "National Pen",
"bu_prefix": "npc"
},
{
"Organization": "PixartPrinting",
"bu_prefix": "pixart"
},
{
"Organization": "Printdeal",
"bu_prefix": "printd"
},
{
"Organization": "Tradeprint",
"bu_prefix": "trdpr"
},
{
"Organization": "Vistaprint",
"bu_prefix": "vp"
},
{
"Organization": "WirMachenDruck",
"bu_prefix": "wmd"

inventsekar · ‎10-20-2020

Hi @havatz i am bit new to ES app and on my ES environement, i have 2 other brute force attack searches, but i dont see your search "Brute Force Access Behavior Detected Over 1d" .. is this custom created on your project or is this from ES app?

and the last lookup file org_lookup.csv... does it have a field for user? (when you run "|inputlookup org_lookup.csv", what fields do you get?)

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

Splunk built in rule question - urgent!

fields

search job inspector

tstats

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?