topic Re: Fetching the keywords before creating queries in Alerting

Fetching the keywords before creating queries

Amadou — Mon, 06 May 2024 11:20:46 GMT

Hello,

I just want to know before creating an alert how to find the keywords inside that will compose your alert?

please answer with and example.

Thank you so much.

Re: Fetching the keywords before creating queries

gcusello — Mon, 06 May 2024 12:32:36 GMT

Hi @Amadou,

could you better describe your requirement?

in the alert you should insert the conditions to verify.

e.g. if you want to chack thet in windows there aren't 10 logfail events (EventCode=4625), you could run:

index=wineventlog EventCode=4625 | stats count BY host user | where count>10

As I said, the search depends on the conditions to check.

Ciao.

Giuseppe

Re: Fetching the keywords before creating queries

Amadou — Mon, 06 May 2024 13:54:27 GMT

@gcusello For instance you received a ticket that say you have to create an alert to detect IAM root user multiple fail login attempt, index aws

Re: Fetching the keywords before creating queries

gcusello — Mon, 06 May 2024 14:27:25 GMT

Hi @Amadou,

search in aws logs or documentation how to recognize the logfail in aws (e.g. in windows logfail is EventCode=4625) and modify my search.

Ciao.

Giuseppe

Re: Fetching the keywords before creating queries

Amadou — Tue, 07 May 2024 14:47:37 GMT

@gcusello in case you just have an index and you have to find keywords inside of this index, from which parameter you choose your keywords inside of this index? as we know in the left side of splunk you have many field with keywords.

Re: Fetching the keywords before creating queries

gcusello — Tue, 07 May 2024 15:16:32 GMT

Hi @Amadou,

the main issue in developing a Splunk search is to know what to search, then you can use the SPL for searching the rules that you defined in your knowledge of the technology to monitor.

I don't know what's your technology to monitor, as I said in my sample: if you are using windows EventCode=4625 menas log fail.

So what are the conditions that you need to search?

if you need to search a value in a field (e.g. EventCode=4625) you an use this field, if you need to search a string (e.g. "login successful"), you can search for this string.

Did you tried to follow the Splunk Search Tutorial (https://docs.splunk.com/Documentation/SplunkCloud/8.1.0/SearchTutorial/WelcometotheSearchTutorial) to be guided in the use of SPL?

Ciao.

Giuseppe

Re: Fetching the keywords before creating queries

Amadou — Wed, 08 May 2024 10:21:28 GMT

@gcusello Thank you so much

Re: Fetching the keywords before creating queries

Amadou — Wed, 08 May 2024 10:29:31 GMT

Thank you so much, i just find out that it is all about search at any time you receive and index to create an alert you should make a research on this index and the specific request that the user want you detect inside of this index.

example: redshift/ consecutive login failed

Re: Fetching the keywords before creating queries

gcusello — Wed, 08 May 2024 15:44:28 GMT

Hi @Amadou,

as I said, you have to find the conditions to search (in other words the words or strings or field values to search)

then you can use the stats command to find the number of occurrences grouped e.g. for host and user.

e.g. in windows if you want an alert with log failed greater than 5, you could run:

index=wineventlog EventCode=4625 | stats count BY host user | where count>5

Ciao.

Giuseppe