This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Splunk to chronicle conversion

Posted on 11-04-2024 11:06 PM
rahul7514
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hi Team

I have a Splunk query which i am trying to convert to Chronicle 

 

Splunk Query 
| tstats summariesonly=true allow_old_summaries=true
  count as count
    values(Authentication.user) as user
    values(Authentication.dest_nt_domain) as dest_nt_domain
    values(Authentication.app) as app
    values(Authentication.src) as src
    values(Authentication.dest) as dest
    values(host)
  from
    datamodel="Authentication"
  WHERE
    nodename=Authentication.Successful_Authentication AND
    Authentication.app = win:remote AND
    ([ | inputlookup UCL-Monitored_Server_List | fields host | rename host AS Authentication.dest] OR [ | inputlookup UCL-Monitored_Server_List | fields ip | rename ip AS Authentication.dest]) AND
    ([ | inputlookup UCL-Monitored_Server_List | fields ip | rename ip AS Authentication.src] OR [ | inputlookup UCL-Monitored_Server_List | fields host | rename host AS Authentication.src]) AND NOT
    ([ | inputlookup UCL-Service_Account | fields domain, username | rename domain AS Authentication.dest_nt_domain, username AS Authentication.user]) AND NOT
    Authentication.tag="logon_type_3"
  by
    host
    Authentication.user
    Authentication.src
    Authentication.dest
| rename Authentication.* as *
| eval host=upper(host)
| eval src=upper(src)
| eval dest_hostname=mvindex(split(dest,"."),0)
| eval dest_hostname=upper(dest_hostname)
| eval isRemote=if((src != dest_hostname AND host = dest_hostname),"true","false")
| search isRemote=true
| table host user dest_nt_domain src dest count
    Authentication.src
    Authentication.dest

 

The Chronicle alert i am trying to create is this 

 

Chronicle 


events:
$event.metadata.event_type = "USER_LOGIN"
$event.metadata.vendor_name = "Microsoft"
$event.extensions.auth.mechanism = "REMOTE"
$event.extensions.auth.auth_details != "3"
//Below Exclusion is for authorised user/IP/host
($event.principal.ip in %Monitored_Server_List or $event.principal.hostname in %Monitored_Server_List)
($event.target.ip in %Monitored_Server_List or $event.target.hostname in %Monitored_Server_List)
not $event.principal.user.userid in %Service_Account
$attacker_user = re.capture(strings.to_upper(strings.coalesce($event.principal.user.userid, $event.principal.user.user_display_name)), `([^\\]*)$`)
$attacker_ip = strings.coalesce($event.principal.ip, $event.src.ip)
match:
$attacker_ip over 10m

condition:
$event
}

 

Are these both same or am i missing something ?

values post the count by in Splunk should be used in the match section , is my understanding correct here ?

0 2 358
Topic Labels
0 Likes
2 REPLIES 2
Top Solution Authors
View all