However, I also want to see which of those failed to log in more than 10 times and were eventually accepted into the network. ![]() Now I can place those IP addresses on a table. Running a search across index equal to security, sourcetype of linux_secure, I would like to see the IP addresses that were accepted and were able to log in successfully across the last 24 hours. ![]() Let's go ahead and run an outer search and inner search separately and see what events we get returned. So we will build out a subsearch to do this. So what exactly are we trying to find an external IP address with multiple failed attempts and one or more successful attempts to access the network with a valid password? So in this case, we'd like to use a subsearch to find these specific IP addresses that have received multiple failed events and send those to the outer search to see which ones were able to access the network. But it may still be unclear in terms of which of these IP addresses ended up successfully accessing the network. So look at where we have more than 10 failed login attempts. And filtering on those particular failed logins not coming from internal IPs, so we will exclude any IP addresses that begin with 10, then get a count by src_IP, and look at where the count is greater than ten. So we'd like to go ahead and improve this search and the results of this search, making them a bit more meaningful. In this particular search, this search is going to count the number of failures by source IP. What we will see here is a NOT boolean operator placed in front of each field-value pair coming from that knownusers.csv invoked by that inputlookup command within the subsearch and square brackets. And if we take a look at the search job inspector, that search job inspector will display the expanded search string, heading on into Inspect Job, scrolling on down into the search job properties. So in this example here we are including a NOT operator before our subsearch to exclude these lookup values. These were all of the attacker IPs that that specific user used. And so we can see that the administrator user had the most failures. From here, we want to make sure that we sort those failures in descending order. And we'd like to see which users had more than three failures. We'd like to get a count of events as failures split by user. Using the stats command, we will look at the unique values of the IP address and name that "attackerIP". If we'd like to exclude those users and only return the unknown users, we'll place a NOT boolean in front of that inputlookup command, run this search, and what we'll do from there is display this information within a table. In this case, looking for all of the security events that contain failures and users coming from this knownusers.csv. What happens by default with the sub search is, we are going to AND the results of that subsearch here. And so if we wanted to filter on the unknown users. We know that we've loaded in the known users from that knownusers.csv file. We're looking for failures and we want to see the unknown users. In this example, let's go ahead and jump on over into running this search and taking a look at our security index, sourcetype of linux_secure. We're going to use that knownusers.csv file within an inputlookup command in a subsearch to access that lookup data and pass values to the outer search. Now, we loaded in that knownusers.csv file earlier. We will see that search expand into ending the results of that subsearch with those field-value pairs separated by OR boolean operators. The results of the subsearch will have an OR boolean placed between them. In this example here, we can see we have our basic search, followed by a subsearch in square brackets, followed by a set of additional commands. Subsearches are always executed first before passing the results to the outer search. Subsearches are enclosed in square brackets and must start with generating commands like the search command or tstats. They can be used to narrow down the set of events you are searching on or use with commands to combine results of one search to the results of another. ![]() ![]() A subsearch is a search that passes its results to an outer search as search terms.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |