Hi Splunkers,

I was wading through some of the Enterprise Security correlation searches and I noticed that the Remote Desktop Network Bruteforce search (defined in $SPLUNK_HOME/etc/apps/DA-ESS-ContentUpdate/default/savedsearches.conf) appears to be attempting to identify an anomalous count of RDP network connections by getting a count from tstats, then checking if 'count>(stdev*2)'.

Now I've never been particularly good at statistics, but I thought that a common method for detecting outliers was to check for values that were more than 2 (or 3) standard deviations from the mean, rather than more than 2 (or 3) standard deviations from zero?

Most of the other outlier detection searches that I've seen do 'avg + (2 * stdev)' type constructs (like the ESCU - SMB Traffic Spike - Rule correlation search in that same file for instance), so I tried to find some statistics background information and found How to Use Statistics to Identify Outliers in Data1, which mentions the 'Standard Deviation Method'. That goes on to say that the data can be 'normalised' so that the mean is zero, which I believe would explain the expression in the correlation search not taking avg in to account, but I can't see anything in that search query to 'normalise' the data (not that I'd know what that looked like, but it is just getting a straight count from tstats so I'm assuming it isn't normalised?).

Also, to further back up my theory, the description field for the correlation search in the above-mentioned savedsearches.conf file states:

This search looks for RDP application network traffic and filters any source/destination pair generating more than twice the standard deviation of the average traffic

So, thinking that this may actually be a bug, I checked for a later version of the ES Content Updates app (I'm running v1.0.38) and found v1.0.41. Downloading and checking that shows the same potential problem in v1.0.41 too.

The following UNIX command will show any search string mentioning 'stdev' along with the stanza name (for the search name), for comparison -- some take the avg in to account and some don't:

grep "[|[=|][^=|]*stdev" "$SPLUNK_HOME/etc/apps/DA-ESS-ContentUpdate/default/savedsearches.conf" |grep -B 1 "stdev"

This isn't really a problem as such, because I can just redo the correlation search and add the calculated avg field. I'm just after some sort of confirmation as to whether or not the existing search string is correct, as it produces more notable events without using avg than with.

Thanks,
Karl