This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Splunk to chronicle conversion

Posted on 11-04-2024 11:06 PM
rahul7514
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hi Team

I have a Splunk query which i am trying to convert to Chronicle 

 

Splunk Query 
| tstats summariesonly=true allow_old_summaries=true
  count as count
    values(Authentication.user) as user
    values(Authentication.dest_nt_domain) as dest_nt_domain
    values(Authentication.app) as app
    values(Authentication.src) as src
    values(Authentication.dest) as dest
    values(host)
  from
    datamodel="Authentication"
  WHERE
    nodename=Authentication.Successful_Authentication AND
    Authentication.app = win:remote AND
    ([ | inputlookup UCL-Monitored_Server_List | fields host | rename host AS Authentication.dest] OR [ | inputlookup UCL-Monitored_Server_List | fields ip | rename ip AS Authentication.dest]) AND
    ([ | inputlookup UCL-Monitored_Server_List | fields ip | rename ip AS Authentication.src] OR [ | inputlookup UCL-Monitored_Server_List | fields host | rename host AS Authentication.src]) AND NOT
    ([ | inputlookup UCL-Service_Account | fields domain, username | rename domain AS Authentication.dest_nt_domain, username AS Authentication.user]) AND NOT
    Authentication.tag="logon_type_3"
  by
    host
    Authentication.user
    Authentication.src
    Authentication.dest
| rename Authentication.* as *
| eval host=upper(host)
| eval src=upper(src)
| eval dest_hostname=mvindex(split(dest,"."),0)
| eval dest_hostname=upper(dest_hostname)
| eval isRemote=if((src != dest_hostname AND host = dest_hostname),"true","false")
| search isRemote=true
| table host user dest_nt_domain src dest count
    Authentication.src
    Authentication.dest

 

The Chronicle alert i am trying to create is this 

 

Chronicle 


events:
$event.metadata.event_type = "USER_LOGIN"
$event.metadata.vendor_name = "Microsoft"
$event.extensions.auth.mechanism = "REMOTE"
$event.extensions.auth.auth_details != "3"
//Below Exclusion is for authorised user/IP/host
($event.principal.ip in %Monitored_Server_List or $event.principal.hostname in %Monitored_Server_List)
($event.target.ip in %Monitored_Server_List or $event.target.hostname in %Monitored_Server_List)
not $event.principal.user.userid in %Service_Account
$attacker_user = re.capture(strings.to_upper(strings.coalesce($event.principal.user.userid, $event.principal.user.user_display_name)), `([^\\]*)$`)
$attacker_ip = strings.coalesce($event.principal.ip, $event.src.ip)
match:
$attacker_ip over 10m

condition:
$event
}

 

Are these both same or am i missing something ?

values post the count by in Splunk should be used in the match section , is my understanding correct here ?

0 2 348
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
dnehoda
Staff
Reply posted on --/--/---- --:-- AM

Itโ€™s certainly close in theory.  You gotta remember tho Splunk is Splunk and does rules differently than Secops. 

Have you tested a sample in Splunk vs a sample in Secops? 

0 Likes

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

Is this working for you or are you still having some challenges with it?

Looking at the two, I would say you are fairly close. It is up to you to determine if you want to group by the host and src and dest and user. It seems that if you are trying to create a similar rule that aggregates by that combo I would be inclined to match on src/dest/user in the match section.

If you are not getting any results, I'd start by commenting out the lists and then add them in last of all.

The one thing I'm wondering if you are missing are the two lines around isRemote. That component might be able to be handled in the events section like this: 

$event.src.hostname != $event.target.hostname

Or it could be handled in the outcome section with some conditional logic and then adding an extra value to the condition section like this:

outcome:
$is_remote=max(if(($event.src.hostname != $event.target.hostname AND $event.principal.hostname = $event.target.hostname),1,0))

condition:
$event and $is_remote > 0

It's important to note that I don't know what the fields and their values are here so make sure you look at your data to ensure the logic works, but depending where you want the comparison to take place you have options. I suspect that it will be the second example because if the query above could have done it in the where section, they would have and the where section more aligns to our event section.

Hopefully this helps a bit..

0 Likes
Top Solution Authors
View all