Alerting

Fetching the keywords before creating queries

Amadou
Loves-to-Learn

Hello, 

I just want to know before creating an alert how to find the keywords inside that will compose your alert?

please answer with and example.

Thank you so much.

Labels (2)
0 Karma

Amadou
Loves-to-Learn

@gcusello in case you just have an index and you have to find keywords inside of  this index, from which parameter you choose your keywords inside of this index? as we know in the left side  of splunk you have many field with keywords.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Amadou,

the main issue in developing a Splunk search is to know what to search, then you can use the SPL for searching the rules that you defined in your knowledge of the technology to monitor.

I don't know what's your technology to monitor, as I said in my sample: if you are using windows EventCode=4625 menas log fail.

So what are the conditions that you need to search?

if you need to search a value in a field (e.g. EventCode=4625) you an use this field, if you need to search a string (e.g. "login successful"), you can search for this string.

Did you tried to follow the Splunk Search Tutorial (https://docs.splunk.com/Documentation/SplunkCloud/8.1.0/SearchTutorial/WelcometotheSearchTutorial) to be guided in the use of SPL?

Ciao.

Giuseppe

0 Karma

Amadou
Loves-to-Learn

@gcusello For instance you received a ticket that say you have to create an alert to detect IAM root user multiple fail login attempt, index aws

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Amadou,

search in aws logs or documentation how to recognize the logfail in aws (e.g. in windows logfail is EventCode=4625) and modify my search.

Ciao.

Giuseppe

0 Karma

Amadou
Loves-to-Learn

Thank you so much, i just find out that it is all about search at any time you receive and index to create an alert you should make a research on this index and the specific request that the user want you detect inside of this index.

example: redshift/  consecutive login failed 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Amadou,

as I said, you have to find the conditions to search (in other words the words or strings or field values to search)

then you can use the stats command to find the number of occurrences grouped e.g. for host and user.

e.g. in windows if you want an alert with log failed greater than 5, you could run:

index=wineventlog EventCode=4625
| stats count BY host user
| where count>5

 Ciao.

Giuseppe

0 Karma

Amadou
Loves-to-Learn

@gcusello Thank you so much

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Amadou,

could you better describe your requirement?

in the alert you should insert the conditions to verify.

e.g. if you want to chack thet in windows there aren't 10 logfail events (EventCode=4625), you could run:

index=wineventlog EventCode=4625
| stats count BY host user
| where count>10

As I said, the search depends on the conditions to check.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...