Hi,
I am using below search query which list's out the sequence of login using standard querying. What the below query does is it gives me the authentication actions as list. I am looking for those security events which gets succeed after multiple failures. The below query does the job but i want to use it using tstats command as the below conventional query is quite slow.
sourcetype="WinEventLog:Security" EventCode=4624 OR EventCode=4625 | stats count sparkline as trend values(user) as Users max(_time) as maxtime min(_time) as mintime values(difference) as difference list(action) as list values(src_bunit) as src_bunit values(dest_bunit) as dest_bunit values(dvc_bunit) as dvc_bunit values(user_email) as user_email,values(Failure_Reason) as Failure_Reason, values(signature) as signature,values(Error_Code) as Error_Code by user | eval list = mvjoin(list, " ") | eval alert = if(match(list, "(?:failure\s?){4,}(?:success)"), "True", "False") | where alert = "True" | eval diff = round((maxtime - mintime)/60,0) | eval timediff = mvindex(split(diff, "-"),1) | eval maxtime=strftime(maxtime,"%H:%M:%S") | eval mintime=strftime(mintime,"%H:%M:%S") | where count>100 | fields - diff | where timediff<=60
I tried constructing the below query but **list()** function doesn't seems to be working with tstats command and hence i am unable to get the exact sequence. In the below query **list(Authentication.action) as list** doesn't work and hence the issue. If i use **values()** it will only give me success & failure but not the sequence and hence i am not able to find success after four failures.
| tstats summariesonly=t earliest(_time) as maxtime, latest(_time) as mintime, values(Authentication.dest_nt_domain) as dest_nt_domain,values(Authentication.signature) as signature, list(Authentication.action) as list,values(Authentication.user_email) as user_email,values(Authentication.dest) as dest ,values(Authentication.body) as body,values(Authentication.signature_id) as signature_id values(Authentication.Error_Code) as Error_Code, count as EventCount from datamodel=Authentication where sourcetype="WinEventLog:Security" (Authentication.signature_id="4624" OR Authentication.signature_id="4625") groupby Authentication.user | eval list = mvjoin(list, " ") | eval alert = if(match(list, "(?:failure\s?){4,}(?:success)"), "True", "False") | where alert = "True" | eval diff = round((maxtime - mintime)/60,0) | eval timediff = mvindex(split(diff, "-"),1) | eval maxtime=strftime(maxtime,"%H:%M:%S %Z") | eval mintime=strftime(mintime,"%H:%M:%S %Z") | where EventCount>=50 | fields - diff | where timediff<=60
**Why I am using "list" cmd?**
To get failure followed by a success action sequence like below example
After list command, | eval list = mvjoin(list, " ") | eval alert = if(match(list, "(?:failure\s?){4,}(?:success)"), "True", "False") | where alert = "True"
**Example:** failure failure failure failure success failure success
How can i address the above scenario using datamodel/tsats?
↧