The map command in Splunk is a powerful tool that enables executing secondary searches based on the results of a primary search. This capability allows for dynamic, nested investigations, making it particularly useful in cybersecurity for uncovering indicators of compromise (IOCs) or analyzing specific user activity patterns.
Example of using – we can make the query for detecting Bruteforce attempts, where a user has multiple failed login attempts followed by a successful login within a short time frame. The map command can facilitate this by executing a secondary search for successful logins based on the results of a primary search for failed logins.
Example: Primary Search – Identify Failed Logins
The primary search identifies users who have more than three failed login attempts (EventCode=4625) in a 1-minute period without any successful login events.
index=windows EventCode=4625 OR EventCode=4624
| bin span=1m _time
| stats count, dc(EventCode) as EventCodeDC, values(EventCode) as EventCode by _time, Account_Name
| where EventCodeDC = 1 and EventCode=4625
| where count > 3- bin span=1m _time: Groups events into 1-minute intervals.
- stats: Aggregates failed logins by user and time.
- where EventCodeDC = 1 and EventCode=4625: Filters only failed logins (no successful logins in the same interval).
- where count > 3: Identifies users with more than three failed attempts.
To narrow the investigation, add time constraints to check for successful logins (EventCode=4624) occurring within 5 minutes of the failed attempts.
index=windows EventCode=4625 OR EventCode=4624
| bin span=1m _time
| stats count, dc(EventCode) as EventCodeDC, values(EventCode) as EventCode by _time, Account_Name
| where EventCodeDC = 1 and EventCode=4625
| where count > 3
| eval earliest = _time
| eval latest = _time + 300Using the “map” command, run a secondary search for successful logins for each user identified in the primary search. Specify the time window (earliest and latest) to check for a successful login.
index=windows EventCode=4625 OR EventCode=4624
| bin span=1m _time
| stats count, dc(EventCode) as EventCodeDC, values(EventCode) as EventCode by _time, Account_Name
| where EventCodeDC = 1 and EventCode=4625
| where count > 3
| eval earliest = _time
| eval latest = _time + 300
| map search="search index=windows EventCode=4624 Account_Name=$Account_Name$ earliest=$earliest$ latest=$latest$ | stats count by Account_Name, ComputerName, _time | head 1"The map command runs a secondary search for each Account_Name identified in the primary search.
It checks for successful login events (EventCode=4624) within the specified time window (earliest to latest).
Why Is This Useful?
- Brute-Force Detection: Identifies potential brute-force attacks where attackers attempt multiple passwords until successful.
- Targeted Analysis: Focuses on high-risk users or accounts with failed login patterns.
- Incident Response: Provides actionable data, such as usernames, timestamps, and computer names, for further investigation or remediation.
While the map command is highly effective, it can be resource-intensive. Use it cautiously, particularly with large datasets, and apply constraints like time ranges or specific user filters to optimize performance.
The post Using map Command in Splunk appeared first on SOC Prime.
