Splunk Enterprise Security

A bit stuck with syntax while working with an ES search

Path Finder


I found two cases where the ES correlated search "Brute Force Access Behavior Detected" is "invalid" for our purposes. They are both indicators that an AD account is locked out or disabled and are as follows:

Event Code = 4768
krb tgt request result code = 0x12 or 0x6

Now, I'm having some trouble with syntax for this (note that the datamodel expanded while I was working, and the changes I've made are reflected below the search:

(index=* OR index=_*) ((()) tag=authentication NOT (action=success user=*$)) DIRECTIVES(READ_SUMMARY(datamodel="Authentication.Authentication" summariesonly="false" allow_old_summaries="false")) 
| eval action=if(isnull(action) OR action="","unknown",action), app=if(isnull(app) OR app="",sourcetype,app), src=if(isnull(src) OR src="","unknown",src), src_user=if(isnull(src_user) OR src_user="","unknown",src_user), dest=if(isnull(dest) OR dest="","unknown",dest), user=if(isnull(user) OR user="","unknown",user) 
| search action=failure 
| eval is_Failed_Authentication=if(searchmatch("(action=\"failure\")"),1,0), is_not_Failed_Authentication=1-is_Failed_Authentication, is_Successful_Authentication=if(searchmatch("(action=\"success\")"),1,0), is_not_Successful_Authentication=1-is_Successful_Authentication, is_Default_Authentication=if(searchmatch("(tag=\"default\")"),1,0), is_not_Default_Authentication=1-is_Default_Authentication, is_Insecure_Authentication=if(searchmatch("(tag=\"insecure\" OR tag=\"cleartext\")"),1,0), is_not_Insecure_Authentication=1-is_Insecure_Authentication, is_Privileged_Authentication=if(searchmatch("(tag=\"privileged\")"),1,0), is_not_Privileged_Authentication=1-is_Privileged_Authentication 
| fields "_time" "host" "source" "sourcetype" "dest_bunit" "dest_category" "dest_nt_domain" "dest_priority" "duration" "response_time" "signature" "signature_id" "src_bunit" "src_category" "src_nt_domain" "src_priority" "src_user_bunit" "src_user_category" "src_user_priority" "tag" "user_bunit" "user_category" "user_priority" "action" "app" "src" "src_user" "dest" "user" "is_Failed_Authentication" "is_not_Failed_Authentication" "is_Successful_Authentication" "is_not_Successful_Authentication" "is_Default_Authentication" "is_not_Default_Authentication" "is_Insecure_Authentication" "is_not_Insecure_Authentication" "is_Privileged_Authentication" "is_not_Privileged_Authentication" 
| search signature_id!=4768 
| rex "Result Code:\s*(?<krb_tgt_request_result_code>.*)" 
| search krb_tgt_request_result_code!=0x12 krb_tgt_request_result_code!=0x6 
| eval DoW_Hour_Min = strftime(_time,"%A_%H_%M") 
| stats count by DoW_Hour_Min, app, src, dest, action, user, signature_id, krb_tgt_request_result_code 
| sort -count

changes are:

  • | search action=failure
  • | search signature_id!=4768
  • | rex "Result Code:\s*(?.*)"
  • | search krb_tgt_request_result_code!=0x12 krb_tgt_request_result_code!=0x6
  • | eval DoW_Hour_Min = strftime(time,"%A%H_%M")
  • | stats count by DoW_Hour_Min, app, src, dest, action, user, signature_id, krb_tgt_request_result_code
  • | sort -count

So, my problem is... the rex is only valid for events with signature_id=4768. But I want to exclude explicitly those events.

I guess the question is two fold:
1) do I care about the efficiency of the rex, insomuch that I only want it to exercise against signature_id=4768? How do I do that?
2) I really only care about dealing with signature_id=4768 with krb_Tgt_request_result_code is: 0x12 or 0x6. How do I do that?

Will it work if I do a single rex with two named capture groups, and then I can run a subsequent search for my inverse cases?



0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!