Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk ES Correlation Search Not Firing [When it should]

BrianKJr
Explorer
‎01-16-2021 12:53 PM

Hello,

So I am working on a CS for Enterprise Security that  -- when run manually -- it returns results; however, when its scheduled to run it does not return anything.

I've looked in the _internal index and found that:

  • 0 suppressions are taking effect
  • 0 results are returned
  • All searches are ran successfully

I've looked in the notable's index and confirmed that 0 alerts are firing.

The CS is running as ADMIN within the application context of Enterprise Security.

This is the search:

index=cylance_protect sourcetype=threat
| eval FirstFound=split('First Found'," ")
| eval FirstFoundDate=mvindex(FirstFound,0)
| eval FirstFoundDate_epoch=strptime(FirstFoundDate, "%m/%d/%Y")
| eval currentTime=now()
| eval currentTime=strftime(currentTime, "%m/%d/%Y")
| eval currentTime_epoch=strptime(currentTime, "%m/%d/%Y")
| eval CreatedDaysAgo=(currentTime_epoch-FirstFoundDate_epoch)/86400
| eval CreatedDaysAgo=round(CreatedDaysAgo)
| search CreatedDaysAgo < 2
| table _time FirstFound CreatedDaysAgo DeviceName Tenant user action "Cylance Score" signature "Detected By" "Ever Run" "File Name" file_path file_hash

 

Are the eval statements causing this issue? I used the above logic to ONLY return 'new' Cylance detections within the last 1 day.

Labels (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎01-16-2021 01:15 PM

Hi @BrianKJr,

The problem may be the time range setting on your correlation search. Are you using the same time-range on manual testing? Maybe you should increase time-range on your correlation search.

 

If this reply helps you an upvote is appreciated. 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎01-16-2021 01:15 PM

Hi @BrianKJr,

The problem may be the time range setting on your correlation search. Are you using the same time-range on manual testing? Maybe you should increase time-range on your correlation search.

 

If this reply helps you an upvote is appreciated. 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution

BrianKJr
Explorer
‎01-19-2021 10:51 AM

After further troubleshooting the time range WAS the issue due to API schedule for threats being forwarded to Splunk.. The API through Cylance / Splunk will need to be looked at because its not sending logs as often as it should be.

The solution for the interim is to extend the time range from 2 hours to 12 hours.

Thanks for responding 🙂

0 Karma
Reply
Solved! Jump to solution

BrianKJr
Explorer
‎01-17-2021 07:41 AM

Hello @scelikok 

Yes the search runs every 5 minutes, and looks back 1 hour. Today it should have generated three unique alerts.

Its been running for a couple days at this point, and the base search has matched 10 + events. We've received 0 though.

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...