https://community.splunk.com/t5/Splunk-Cloud-Platform/Suspicious-Event-Log-Service-Behavior/m-p/675466#M2770 <P>I am trying to fine tune one use case "Suspicious Event Log Service Behaviour". Below is the rule logic&nbsp;<BR /><BR />(`wineventlog_security` EventCode=1100) | stats count min(_time) as firstTime max(_time) as lastTime by dest Message EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_event_log_service_behavior_filter` | collect index=asx sourcetype=asx marker="mitre_id=T1070.001, execution_type=adhoc, execution_time=1637664004.675815"<BR /><BR />but the rule is currently too noisy. Is it possible to set a bin time(5mins) between stop logging and start logging events. After 5mins if the logging started then I want to ignore the alerts.&nbsp;<BR /><BR />Or I have seen a field named dvc_priority, can we set the alerts only for high or critical?&nbsp;<BR /><BR />Help me with the query please.&nbsp;</P> Fri, 26 Jan 2024 00:29:20 GMT Abhirup_10 2024-01-26T00:29:20Z https://community.splunk.com/t5/Splunk-Cloud-Platform/Suspicious-Event-Log-Service-Behavior/m-p/675466#M2770 <P>I am trying to fine tune one use case "Suspicious Event Log Service Behaviour". Below is the rule logic&nbsp;<BR /><BR />(`wineventlog_security` EventCode=1100) | stats count min(_time) as firstTime max(_time) as lastTime by dest Message EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_event_log_service_behavior_filter` | collect index=asx sourcetype=asx marker="mitre_id=T1070.001, execution_type=adhoc, execution_time=1637664004.675815"<BR /><BR />but the rule is currently too noisy. Is it possible to set a bin time(5mins) between stop logging and start logging events. After 5mins if the logging started then I want to ignore the alerts.&nbsp;<BR /><BR />Or I have seen a field named dvc_priority, can we set the alerts only for high or critical?&nbsp;<BR /><BR />Help me with the query please.&nbsp;</P> Fri, 26 Jan 2024 00:29:20 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/Suspicious-Event-Log-Service-Behavior/m-p/675466#M2770 Abhirup_10 2024-01-26T00:29:20Z https://community.splunk.com/t5/Splunk-Cloud-Platform/Suspicious-Event-Log-Service-Behavior/m-p/675644#M2787 <DIV class=""><DIV class="">&nbsp;</DIV></DIV><DIV class=""><DIV class=""><DIV class=""><P><STRONG>Hi there,</STRONG></P><P><STRONG>1. Implement a 5-Minute Bin Time:</STRONG></P><UL><LI><STRONG>Add the<SPAN>&nbsp;</SPAN>bucket<SPAN>&nbsp;</SPAN>command:</STRONG></LI></UL><DIV class=""><PRE><SPAN class="">search (wineventlog_security EventCode=1100) | stats count min(_time) as firstTime max(_time) as lastTime by dest Message EventCode | security_content_ctime(firstTime) | security_content_ctime(lastTime) | suspicious_event_log_service_behavior_filter</SPAN> | bucket _time span=5m | ... (rest of your query)</PRE></DIV><UL><LI><STRONG>Filter out events with gaps within 5 minutes:</STRONG></LI></UL><DIV class=""><PRE>... | stats count as event_count by _time dest Message EventCode | eval is_first_event = if(_time == earliest(_time), 1, 0) | eval is_noisy_event = if(event_count &gt; 1 AND is_first_event == 0, 1, 0) | filter not is_noisy_event</PRE></DIV><P><STRONG>2. Filter by dvc_priority:</STRONG></P><UL><LI><STRONG>Add a filter condition:</STRONG></LI></UL><DIV class=""><PRE>... | where dvc_priority = "high" OR dvc_priority = "critical" | ... (rest of your query)</PRE></DIV><P><STRONG>Additional Tips:</STRONG></P><UL><LI><STRONG>Tailor the bin time:</STRONG><SPAN>&nbsp;Adjust the&nbsp;</SPAN>span<SPAN>&nbsp;value in&nbsp;</SPAN>bucket _time span=5m<SPAN>&nbsp;to match your desired timeframe.</SPAN></LI><LI><STRONG>Prioritize based on risk:</STRONG><SPAN>&nbsp;If&nbsp;</SPAN>dvc_priority<SPAN>&nbsp;accurately reflects risk,</SPAN><SPAN>&nbsp;filtering by it can be effective.</SPAN></LI><LI><STRONG>Test thoroughly:</STRONG><SPAN>&nbsp;Implement changes in a non-production environment first to ensure they work as intended.</SPAN></LI><LI><STRONG>Combine strategies:</STRONG><SPAN>&nbsp;For optimal results,</SPAN><SPAN>&nbsp;consider using both bin time and&nbsp;</SPAN>dvc_priority<SPAN>&nbsp;filtering together.</SPAN></LI></UL><P><STRONG>Remember:</STRONG></P><UL><LI><SPAN>Replace any placeholders like&nbsp;</SPAN>... (rest of your query)<SPAN>&nbsp;with the actual remaining parts of your query.</SPAN></LI><LI><SPAN>Adapt field names and values to match your specific Splunk configuration.</SPAN></LI></UL><P><SPAN>I'm here to assist further if you have any more questions or need additional guidance!</SPAN></P><P><STRONG>~ If this helps, a Karma upvote would be much appreciated.</STRONG></P></DIV></DIV></DIV> Sun, 28 Jan 2024 10:05:49 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/Suspicious-Event-Log-Service-Behavior/m-p/675644#M2787 datadevops 2024-01-28T10:05:49Z