How to detected a Deviation of 20% vs weekly aver...

christianubeda · ‎05-07-2019

Hi team!

I need to do that:

Eventcode = 4624 and 4634 with Logon Type = 10. An event will be generated if an access volume above normal is detected. Deviation of 20% vs weekly average.

This is my search right now;

index=* index=* (EventCode=4624 OR EventCode=4634) eventtype=wineventlog_security
| stats values(host), values(EventCodeDescription), values(Changes), values(Account_Domain), values(action) by _time
| rename values(host) as Host, values(EventCodeDescription) as Description, values(Changes) as Changes, values(Account_Domain) as "Account Domain", values(action) as Action, _time as Date
| convert timeformat="%m/%d/%Y %H:%M:%S" ctime(Date)

But I dont know how to detected a Deviation of 20% vs weekly average. I mean, how can I do that?

Thank you a lot.

woodcock · ‎10-08-2019

Check out this great Q&A (don't forget to UpVote) and links:
https://answers.splunk.com/answers/511894/how-to-use-the-timewrap-command-and-set-an-alert-f.html

DavidHourani · ‎05-07-2019

Hi @christianubeda,

You seem to be looking for something like this :

index="_audit" | timechart span=1h count as A | eventstats avg(A) as WeeklyAverage | tail 1 | eval Result=(A/WeeklyAverage)*100

From there tweak the span to compare per hour/day/week and use the result for your threshold condition.

Cheers,
David

How to detected a Deviation of 20% vs weekly average?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms