Alerting

Alert Omitting

saotaigiri
Path Finder

The query below is what is used to detect scanning on a network:

| tstats summariesonly=t allow_old_summaries=t dc(All_Traffic.dest_port) as num_dest_port dc(All_Traffic.dest_ip) as num_dest_ip from datamodel=Network_Traffic by All_Traffic.src_ip
| rename "All_Traffic.*" as "*"
| where num_dest_port > 100 OR num_dest_ip > 100
| sort - num_dest_ip

 

Unfortunately it detects syslog scanning and causes false positives. Please I need help on how or where to add dedup udp514 to the syntax so it omits the syslog files it detects or an option on how to omit the syslog files. Thanks

 

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

It would help to see sample output from the query with the undesired event(s) highlighted.

In general, the where command can be used to omit undesired events.

---
If this reply helps you, Karma would be appreciated.
0 Karma

saotaigiri
Path Finder

The output of the query brings the source IP, number of dest port and IPs. So when I dug deeper by search source IP one by one I found each IP address traffic is UDP 514 which is syslog server, hence my intent to add dedup udp514 to the query.  Please what do you think?

0 Karma
Get Updates on the Splunk Community!

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...