Using map Command in Splunk

[post-views]
December 20, 2024 · 3 min read
Using map Command in Splunk

The map command in Splunk is a powerful tool that enables executing secondary searches based on the results of a primary search. This capability allows for dynamic, nested investigations, making it particularly useful in cybersecurity for uncovering indicators of compromise (IOCs) or analyzing specific user activity patterns.

Example of using – we can make the query for detecting Bruteforce attempts, where a user has multiple failed login attempts followed by a successful login within a short time frame. The map command can facilitate this by executing a secondary search for successful logins based on the results of a primary search for failed logins.

index=windows EventCode=4625 OR EventCode=4624
| bin span=1m _time
| stats count, dc(EventCode) as EventCodeDC, values(EventCode) as EventCode by _time, Account_Name
| where EventCodeDC = 1 and EventCode=4625
| where count > 3
  • bin span=1m _time: Groups events into 1-minute intervals.
  • stats: Aggregates failed logins by user and time.
  • where EventCodeDC = 1 and EventCode=4625: Filters only failed logins (no successful logins in the same interval).
  • where count > 3: Identifies users with more than three failed attempts.

To narrow the investigation, add time constraints to check for successful logins (EventCode=4624) occurring within 5 minutes of the failed attempts.

index=windows EventCode=4625 OR EventCode=4624
| bin span=1m _time
| stats count, dc(EventCode) as EventCodeDC, values(EventCode) as EventCode by _time, Account_Name
| where EventCodeDC = 1 and EventCode=4625
| where count > 3
| eval earliest = _time 
| eval latest = _time + 300

Using the  “map” command, run a secondary search for successful logins for each user identified in the primary search. Specify the time window (earliest and latest) to check for a successful login.

index=windows EventCode=4625 OR EventCode=4624
| bin span=1m _time
| stats count, dc(EventCode) as EventCodeDC, values(EventCode) as EventCode by _time, Account_Name
| where EventCodeDC = 1 and EventCode=4625
| where count > 3
| eval earliest = _time 
| eval latest = _time + 300
| map search="search index=windows EventCode=4624 Account_Name=$Account_Name$ earliest=$earliest$ latest=$latest$ | stats count by Account_Name, ComputerName, _time | head 1"

The map command runs a secondary search for each Account_Name identified in the primary search.
It checks for successful login events (EventCode=4624) within the specified time window (earliest to latest).

Why Is This Useful?

  • Brute-Force Detection: Identifies potential brute-force attacks where attackers attempt multiple passwords until successful.
  • Targeted Analysis: Focuses on high-risk users or accounts with failed login patterns.
  • Incident Response: Provides actionable data, such as usernames, timestamps, and computer names, for further investigation or remediation.

While the map command is highly effective, it can be resource-intensive. Use it cautiously, particularly with large datasets, and apply constraints like time ranges or specific user filters to optimize performance.

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts