https://community.splunk.com/t5/Splunk-Search/Scan-Behavior-How-to-query-the-trigger-for-the-same-period-for/m-p/657203#M226993 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/260338">@Dustem</a>,</P><P>you schedule your search every day (using the last day as time frame) and you save the results in a summary index, one event every day.</P><P>Then you can schedule a search on the summary index, using three days as time frame.</P><P>Ciao.</P><P>Giuseppe</P> Mon, 11 Sep 2023 13:53:09 GMT gcusello 2023-09-11T13:53:09Z https://community.splunk.com/t5/Splunk-Search/Scan-Behavior-How-to-query-the-trigger-for-the-same-period-for/m-p/657179#M226989 <P><SPAN>hi guys, I want to detect that more than 10 different ports of the same host are sniffed and scanned every 15 minutes and triggered 5 times in a row, then the alarm; If the same time period is triggered for three consecutive days, the alarm is triggered.<BR /></SPAN>The current SPL:</P> <P>index="xx"</P> <P>| bin _time span=15m</P> <P>| stats dc(dest_port) as dc_ports by _time src_ip dest_ip</P> <P>| where dc_ports &gt; 10<BR />| streamstats count as consecutive_triggers by src_ip dest_ip reset_on_change=Ture</P> <P>| where consecutive_triggers&gt;=5</P> <P>&nbsp;</P> <P>Next, I don't know how to query the trigger for the same period for three consecutive days.</P> Mon, 11 Sep 2023 16:41:52 GMT https://community.splunk.com/t5/Splunk-Search/Scan-Behavior-How-to-query-the-trigger-for-the-same-period-for/m-p/657179#M226989 Dustem 2023-09-11T16:41:52Z https://community.splunk.com/t5/Splunk-Search/Scan-Behavior-How-to-query-the-trigger-for-the-same-period-for/m-p/657183#M226991 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/260338">@Dustem</a>,</P><P>you could save the results of you search in a summary index (using the collect command), then execute the alert on the summary index and trigger it if you have more than 3 results.</P><P>Ciao.</P><P>Giuseppe</P><P>&nbsp;</P> Mon, 11 Sep 2023 12:19:55 GMT https://community.splunk.com/t5/Splunk-Search/Scan-Behavior-How-to-query-the-trigger-for-the-same-period-for/m-p/657183#M226991 gcusello 2023-09-11T12:19:55Z https://community.splunk.com/t5/Splunk-Search/Scan-Behavior-How-to-query-the-trigger-for-the-same-period-for/m-p/657202#M226992 <P>Hi gcusello,</P><P>How do I set it to trigger at the same time in three days?</P> Mon, 11 Sep 2023 13:46:48 GMT https://community.splunk.com/t5/Splunk-Search/Scan-Behavior-How-to-query-the-trigger-for-the-same-period-for/m-p/657202#M226992 Dustem 2023-09-11T13:46:48Z https://community.splunk.com/t5/Splunk-Search/Scan-Behavior-How-to-query-the-trigger-for-the-same-period-for/m-p/657203#M226993 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/260338">@Dustem</a>,</P><P>you schedule your search every day (using the last day as time frame) and you save the results in a summary index, one event every day.</P><P>Then you can schedule a search on the summary index, using three days as time frame.</P><P>Ciao.</P><P>Giuseppe</P> Mon, 11 Sep 2023 13:53:09 GMT https://community.splunk.com/t5/Splunk-Search/Scan-Behavior-How-to-query-the-trigger-for-the-same-period-for/m-p/657203#M226993 gcusello 2023-09-11T13:53:09Z https://community.splunk.com/t5/Splunk-Search/Scan-Behavior-How-to-query-the-trigger-for-the-same-period-for/m-p/657205#M226994 <P>Can I do this by writing SPL?</P> Mon, 11 Sep 2023 14:00:35 GMT https://community.splunk.com/t5/Splunk-Search/Scan-Behavior-How-to-query-the-trigger-for-the-same-period-for/m-p/657205#M226994 Dustem 2023-09-11T14:00:35Z https://community.splunk.com/t5/Splunk-Search/Scan-Behavior-How-to-query-the-trigger-for-the-same-period-for/m-p/657219#M226998 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/260338">@Dustem</a>,</P><P>yes, you should create an alert, scheduled e.g. one time&nbsp; day like the following:</P><LI-CODE lang="markup">index="xx" | bin _time span=15m | stats dc(dest_port) as dc_ports by _time src_ip dest_ip | where dc_ports &gt; 10 | streamstats count as consecutive_triggers by src_ip dest_ip reset_on_change=Ture | where consecutive_triggers&gt;=5 | collect index=my_summary</LI-CODE><P>that triggers the conditons you need and saves results in a summary index.</P><P>then if the alert is named "scan"</P><P>you can search on the summary for the search_name="scan" in the last three days:</P><LI-CODE lang="markup">index=my_summary search_name=scan | stats count BY src_ip dest_ip | where count&gt;5</LI-CODE><P>Obviously you have to adapt my approach to your Use case.</P><P>Ciao.</P><P>Giuseppe</P> Mon, 11 Sep 2023 15:13:16 GMT https://community.splunk.com/t5/Splunk-Search/Scan-Behavior-How-to-query-the-trigger-for-the-same-period-for/m-p/657219#M226998 gcusello 2023-09-11T15:13:16Z https://community.splunk.com/t5/Splunk-Search/Scan-Behavior-How-to-query-the-trigger-for-the-same-period-for/m-p/658073#M227314 <P>Hello&nbsp;<SPAN>gcusello,</SPAN></P><P>Sorry, I forgot to reply. I rewrote SPL myself to complete the requirements, thanks for your help.</P> Wed, 20 Sep 2023 02:31:02 GMT https://community.splunk.com/t5/Splunk-Search/Scan-Behavior-How-to-query-the-trigger-for-the-same-period-for/m-p/658073#M227314 Dustem 2023-09-20T02:31:02Z https://community.splunk.com/t5/Splunk-Search/Scan-Behavior-How-to-query-the-trigger-for-the-same-period-for/m-p/658086#M227321 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/260338">@Dustem</a>&nbsp;,</P><P>good for you, see next time!</P><P>let me know if I can help you more, or, please, accept one answer for the other people of Community.</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Wed, 20 Sep 2023 06:45:49 GMT https://community.splunk.com/t5/Splunk-Search/Scan-Behavior-How-to-query-the-trigger-for-the-same-period-for/m-p/658086#M227321 gcusello 2023-09-20T06:45:49Z