Re: Alert Omitting

saotaigiri · ‎10-01-2020

The query below is what is used to detect scanning on a network:

| tstats summariesonly=t allow_old_summaries=t dc(All_Traffic.dest_port) as num_dest_port dc(All_Traffic.dest_ip) as num_dest_ip from datamodel=Network_Traffic by All_Traffic.src_ip
| rename "All_Traffic.*" as "*"
| where num_dest_port > 100 OR num_dest_ip > 100
| sort - num_dest_ip

Unfortunately it detects syslog scanning and causes false positives. Please I need help on how or where to add dedup udp514 to the syntax so it omits the syslog files it detects or an option on how to omit the syslog files. Thanks

richgalloway · ‎10-01-2020

It would help to see sample output from the query with the undesired event(s) highlighted.

In general, the where command can be used to omit undesired events.

---
If this reply helps you, Karma would be appreciated.

saotaigiri · ‎10-01-2020

The output of the query brings the source IP, number of dest port and IPs. So when I dug deeper by search source IP one by one I found each IP address traffic is UDP 514 which is syslog server, hence my intent to add dedup udp514 to the query. Please what do you think?

Alert Omitting

alert action

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation