Steven Butterworth(UK-IT-GURU)

I'm working on a use case to detect unusual increases in interactive logins to Windows machines, indicating potential lateral movement (MITRE T1021). To achieve this, I’m using a tstats search on the authentication data model, leveraging standard deviation to calculate dynamic thresholds by user and asset. If these thresholds are breached, an alert is triggered. 🚨

Here’s a more detailed look at the SPL I’m using:

| tstats summariesonly=true dc(Authentication.dest) as device_count from datamodel=Authentication where Authentication.action=success AND source=WinEventLog:Security AND NOT Authentication.user IN ("DWM-*" "UMFD-*") by _time span=1d Authentication.user
| eventstats avg(device_count) as avg_devices stdev(device_count) as stdev_devices by Authentication.user
| eval threshold=avg_devices + 2.5*stdev_devices
| where device_count > threshold AND stdev_devices > 1

This approach helps in identifying potential security threats by dynamically adjusting thresholds based on user and asset behavior.

Interested in the SPL or need it for another SIEM system? Drop a comment or DM me! 💬

#Splunk #SIEM #InfoSec #MITRE #CyberSecurity #TechTuesday #ThreatDetection

Jul 23, 2024 at 1:02pmWeb
Show threadPaulJul 23, 2024
@ukitguru love this idea. Can you explain what the user exclusions are?
Show threadSteven Butterworth(UK-IT-GURU)Jul 23, 2024
@st00pidhacker Ah yes those are specific to my client’s environment, they would need customisation based on the specific environment - tuning out the noise of irrelevant accounts