Using map Command in Splunk
Table of contents:
The map command in Splunk is a powerful tool that enables executing secondary searches based on the results of a primary search. This capability allows for dynamic, nested investigations, making it particularly useful in cybersecurity for uncovering indicators of compromise (IOCs) or analyzing specific user activity patterns.
Example of using – we can make the query for detecting Bruteforce attempts, where a user has multiple failed login attempts followed by a successful login within a short time frame. The map command can facilitate this by executing a secondary search for successful logins based on the results of a primary search for failed logins.
index=windows EventCode=4625 OR EventCode=4624
| bin span=1m _time
| stats count, dc(EventCode) as EventCodeDC, values(EventCode) as EventCode by _time, Account_Name
| where EventCodeDC = 1 and EventCode=4625
| where count > 3
- bin span=1m _time: Groups events into 1-minute intervals.
- stats: Aggregates failed logins by user and time.
- where EventCodeDC = 1 and EventCode=4625: Filters only failed logins (no successful logins in the same interval).
- where count > 3: Identifies users with more than three failed attempts.
To narrow the investigation, add time constraints to check for successful logins (EventCode=4624) occurring within 5 minutes of the failed attempts.
index=windows EventCode=4625 OR EventCode=4624
| bin span=1m _time
| stats count, dc(EventCode) as EventCodeDC, values(EventCode) as EventCode by _time, Account_Name
| where EventCodeDC = 1 and EventCode=4625
| where count > 3
| eval earliest = _time
| eval latest = _time + 300
Using the “map” command, run a secondary search for successful logins for each user identified in the primary search. Specify the time window (earliest and latest) to check for a successful login.
index=windows EventCode=4625 OR EventCode=4624
| bin span=1m _time
| stats count, dc(EventCode) as EventCodeDC, values(EventCode) as EventCode by _time, Account_Name
| where EventCodeDC = 1 and EventCode=4625
| where count > 3
| eval earliest = _time
| eval latest = _time + 300
| map search="search index=windows EventCode=4624 Account_Name=$Account_Name$ earliest=$earliest$ latest=$latest$ | stats count by Account_Name, ComputerName, _time | head 1"
The map command runs a secondary search for each Account_Name identified in the primary search.
It checks for successful login events (EventCode=4624) within the specified time window (earliest to latest).
Why Is This Useful?
- Brute-Force Detection: Identifies potential brute-force attacks where attackers attempt multiple passwords until successful.
- Targeted Analysis: Focuses on high-risk users or accounts with failed login patterns.
- Incident Response: Provides actionable data, such as usernames, timestamps, and computer names, for further investigation or remediation.
While the map command is highly effective, it can be resource-intensive. Use it cautiously, particularly with large datasets, and apply constraints like time ranges or specific user filters to optimize performance.