All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

InfoSec app for Splunk - How do you see events?

eliasit
Path Finder
‎08-13-2019 12:35 PM

Hello Splunkers,
I have the InfoSec for Splunk App (https://splunkbase.splunk.com/app/4240/#/overview) installed and working. I'm getting data into it and it is using that data. My issue is that when I go to an alert (any alert) it will show me the stats but not any of the actual events. (Yes it is in verbose mode) The events tab shows X number of events but when I click the events tab it says "no results". I think (please correct me if I'm wrong) this is normal behavior if using the tstats command, so how can I look at the actual events the search is finding?

I don't have enough karma points to add screenshots but this is the search the alert is using.

| tstats summariesonly=t allow_old_summaries=t count from datamodel=Authentication by Authentication.action, Authentication.src
| rename Authentication.src as source, Authentication.action as action
| chart last(count) over source by action
| where success>0 and failure>20
| sort -failure
| rename failure as failures
| fields - success, unknown

For my data this returns 2 IPs and the number of failures for each. I think that these are false positives (some app, utility, script, etc. with an old password) but need to see the actual events to be certain.
Thanks for taking the time to read this.

System details
Stand-alone Splunk Enterprise 7.3
InfoSec app version 1.4
CIM version 4.11

Reply
1 Solution
Solved! Jump to solution
Solution

igifrin_splunk
Splunk Employee
Splunk Employee
‎08-13-2019 02:04 PM

Hello @eliasit, you are correct - tstats will not show you raw events. That's by design as tstats in this case uses an accelerated data model and does not touch raw events. That lets you report on millions or billions events in seconds.

If you are after drilling down into the details of the Brute Force Attack report like the one on the screenshot below

alt text

you can do a couple of things:

  1. Click on the source (IP or hostname). It will take you to the investigation dashboard where you can see the successful and failed authentications charts. Click on an element of a chart to get to the raw events.

  2. Modify the tstats search string to something that does not use tstats:

    tag=authentication
    | stats count by action, src
    | chart last(count) over src by action
    | where success>0 and failure>20

View solution in original post

Preview file
1 KB
Reply
Solved! Jump to solution
Solution

igifrin_splunk
Splunk Employee
Splunk Employee
‎08-13-2019 02:04 PM

Hello @eliasit, you are correct - tstats will not show you raw events. That's by design as tstats in this case uses an accelerated data model and does not touch raw events. That lets you report on millions or billions events in seconds.

If you are after drilling down into the details of the Brute Force Attack report like the one on the screenshot below

alt text

you can do a couple of things:

  1. Click on the source (IP or hostname). It will take you to the investigation dashboard where you can see the successful and failed authentications charts. Click on an element of a chart to get to the raw events.

  2. Modify the tstats search string to something that does not use tstats:

    tag=authentication
    | stats count by action, src
    | chart last(count) over src by action
    | where success>0 and failure>20

Preview file
1 KB
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...