First of all I am new to cyber, and got splunk dumped in my lap. I am really trying to get knowledgeable on it but 1) I am horrible with coding and apparently that includes Regex 2) Long lines of code or search strings is like sensory overload to me That being said, I am trying to clean up our alerts as we are getting bogged down daily with well over 3k alerts that could most likely be expunged. Many of our alerts are based on tstat search strings. It shows a great report but I am unable to get into the nitty gritty. For example, the brute force string below, it brings up a Statistics table with various elements (src, dest, user, app, failure, success, locked) showing failure vs success counts for particular users who meet the criteria in the string.
My issue, I try to click on a user, choose view events, brings up new search with a modified string (of course) but still only shows tstats table, but with different headers (action, src, det, user, app, count, failure, success).
What I would like to do is when I click to choose view event for a particular user, it actually shows me that even and correlating log input. Is this possible? Why would I want an brute force alert if I cannot narrow down to the events, especially the failure logins? Again, please have mercy, I am entry level and still learning splunk. I love the apps and abilities it has but using the search box is like i lost all my intelligence. The brute force search
| tstats `summariesonly` values(Authentication.app) as app,count from datamodel=Authentication.Authentication by Authentication.action, Authentication.src, Authentication.dest, Authentication.user | `drop_dm_object_name("Authentication")` | search user!=unknown user!=SYSTEM app!=splunkd_remote_searches src!=MWG* user!=TWC-* | eval success=if(action="success",count,0),failure=if(action="failure",count,0) | stats values(dest) as dest, values(user) as user, values(app) as app, sum(failure) as failure, sum(success) as success by src | join user [search index=top_wineventlog EventCode=4740 | eventstats count(user) as locked_count by user | dedup user, host | table user, locked_count] | search failure>30 success>0 | where failure>success
... View more