topic Re: how to find Anomalies in my login data in Security

How to find Anomalies in my login data?

satyaallaparthi — Tue, 08 Nov 2022 16:02:04 GMT

Looking for the exact query to find outliers or anomalies in my csv data using stddev in Splunk enterprise?

Fields from csv: user, action, src, dest, host, _time

Any help would be appreciated.

Thanks in advance!

Re: how to find Anomalies in my login data

ITWhisperer — Mon, 07 Nov 2022 23:32:58 GMT

It is not possible to give you an "exact query" because you haven't provided sufficient detail as to what you are measuring.

Re: how to find Anomalies in my login data

satyaallaparthi — Tue, 08 Nov 2022 00:24:18 GMT

I'm trying to measure login count or unusual number of logins from particular source.

Re: how to find Anomalies in my login data

ITWhisperer — Tue, 08 Nov 2022 06:16:44 GMT

Still insufficient detail for an "exact query", so I will make some assumptions

``` Load your data ``` | inputlookup your.csv ``` Use hourly timeslices ``` | bin _time span=1h ``` Only keep login actions ``` | where action="LOGIN" ``` Count events by hour and source ``` | stats count by _time src ``` Find mean and standard deviation ``` | eventstats avg(count) as avg stddev(count) as stddev by src ``` Find deviation from mean in terms of standard deviation ``` | eval deviation=(count-avg)/stddev ``` Keep hours with sources deviating from their mean by more than 2 standard deviations ``` | where abs(deviation) > 2