I am doing a deep dive to understand the internals of a correlation search within ES so that I can justify creating new correlated searches with adjusted thresholds and/or explicit asset exceptions.
The correlated search I'm reviewing is "Access - Brute Force Access Behavior Detected - Rule."
In effort to attribute the authentication failures to systems with a src and a dst so that I can present the data to sysadmins for investigation and resolution of possible misconfiguration, I wanted to better understand the correlated search:
| from datamodel:"Authentication"."Authentication" | stats values(tag) as tag,values(app) as app,count(eval('action'=="failure")) as failure,count(eval('action'=="success")) as success by src | search success>0 | xswhere failure from failures_by_src_count_1h in authentication is above medium
I have an understanding of most of the search, but the parameters of `xswhere` are throwing me off. If I understand the documentation well enough, I see the entities:
* hedge
* concept
* context
* container
However, I do not understand where they are defined.
Very tangibly, in this example... where can I locate the definitions of: `failure`, `failures_by_src_count_1h`, `authentication`, `above`, `medium`.
Are these contained within the data model?
As an *aside* (as in not for me to understand conceptually and specifically what's going on), what is best practice for tweaking correlated searches in ES? I wanted to use this canned correlated search as a template, and clone it to two additional correlated searches with different thresholds and different in-scope assets (by excluding assets in a lookup table).
Thanks,
Matt
↧