Hi,
I have the following search which I'd like to rewrite if possible without using the map command.
The search is used to track passwords in clear text and what user they belong to in order to notify users know that their password must be changed since it's in the clear.
Let me first explain the search:
The first part looks up failed authentications, a filter search is then applied to remove a few false values
The ut_shannon_lookup looks up the Shannn Entropy of the user field in order to check if it contains a password, not a username. We then keep events with ut_shannon<4 AND ut_shannon>3 (high entropy) and set the user field as a new field called incorrect_password
endtime is set to +1000 seconds
Map runs the same search and takes the sourcetype, dest and src + same starttime and endtime+1000 (in order to find the next user logging into the same system from the same source and with the same sourcetype.
The last where clause excludes events where the user name is the same as the incorrect_password field (possible duplicates)
outlier to remove strange entries such as service accounts logging in thousands of times etc
The search:
| tstats `summariesonly` earliest(_time) AS starttime, latest(_time) AS endtime, latest(sourcetype) AS sourcetype, values(Authentication.src) AS src, values(Authentication.dest) AS dest, count from datamodel=Authentication.Authentication where Authentication.tag="failure" by Authentication.user | `drop_dm_object_name("Authentication")` | search user!="*EXAMPLE.COM" user!="HOSTNAME-*" | lookup ut_shannon_lookup word AS user | where ut_shannon<4 AND ut_shannon>3 AND mvcount(src) == 1 | sort count, - ut_shannon | eval incorrect_password=user | eval endtime=endtime+1000 | map maxsearches=70 search="| tstats `summariesonly` earliest(_time) AS starttime, latest(_time) AS endtime, latest(sourcetype) AS sourcetype, values(Authentication.src) AS src, values(Authentication.dest) AS dest, count from datamodel=Authentication.Authentication where Authentication.tag=success Authentication.src=\"$src$\" Authentication.dest=\"$dest$\" sourcetype=\"$sourcetype$\" earliest=\"$starttime$\" latest=\"$endtime$\" by Authentication.user | `drop_dm_object_name(\"Authentication\")` | search user!=\"*EXAMPLE.COM\" user!=\"HOSTNAME-*\" | eval incorrect_password=\"$incorrect_password$\" | eval ut_shannon=\"$ut_shannon$\" | sort count" | where user!=incorrect_password | outlier action=RM count
The search runs fast as it's based on summarized data models, but I'd like to get rid of the map command because of its restrictions. I could rewrite the search using streamstats I guess, but that would make it a lot slower because it isn't based on the accelerated Authentication data model.
How could I rewrite this search using tstats but without the map command?
... View more