WARNING THIS IS A EXPERIMENTAL object
We have not been able to test, simulate, or build datasets for this object. Use at your own risk. This analytic is NOT supported.
This search looks for RDP application network traffic and filters any source/destination pair generating more than twice the standard deviation of the average traffic.
- Type: TTP
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Network_Traffic
- Last Updated: 2020-07-21
- Author: Jose Hernandez, Splunk
- ID: a98727cc-286b-4ff2-b898-41df64695923
Kill Chain Phase
- CIS 12
- CIS 9
- CIS 16
1 2 3 4 5 6 7 | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app=rdp by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | eventstats stdev(count) AS stdev avg(count) AS avg p50(count) AS p50 | where count>(avg + stdev*2) | rename All_Traffic.src AS src All_Traffic.dest AS dest | table firstTime lastTime src dest count avg p50 stdev | `remote_desktop_network_bruteforce_filter`
The SPL above uses the following Macros:
Note that remote_desktop_network_bruteforce_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
How To Implement
You must ensure that your network traffic data is populating the Network_Traffic data model.
Known False Positives
RDP gateways may have unusually high amounts of traffic from all other hosts’ RDP applications in the network.
Associated Analytic story
source | version: 2