Knowledge Management

Splunk Rules / Enable

Munda9021
New Member

Please elaborate on .....is what makes up the rule and how is it enabled in Splunk?

Thanks
RB

Tags (1)
0 Karma

Richfez
SplunkTrust
SplunkTrust

That's a pretty broad question, but let's see if one of these helps answer it.

"Rules" in Splunk could be a couple of things I can think of (and which Google returns as hits, which means "other" people refer to as Rules sometime).

Searches could be considered "Rules" if you stretch it a bit. Even if that's not what you were after, I wanted to start here because everything else that you are probably referring to as a "Rule" is probably something based on a search at some point, so a basic understanding of a search is essential. A search is, well, a search. Like a SQL Query or a question you are asking Google, it's a request to retrieve a certain sort of information out of your Splunk data, like "Show me how many hits we got on our website in the past 5 minutes". The language searches are written in is called SPL. If you'd like more about this, please see the docs for Getting started with Search, and especially try your hand at the Search Tutorial.

Alerts would probably be the next thing I'd think of as Rules (and more so than Searches). Alerts take some saved searches results and "does something" with them. They may email you or others when the search returns certain data, trigger a script, or possibly create a trouble ticket. Anything you can write a search for you can create an alert for. The link at the front of the paragraph can give you more information on that, though if you haven't done the Splunk Tutorial, I'd do that first. There are also Splunk Reports, but I wouldn't much think of them as "Rules". A Report would likely be scheduled and would always run, like "Every morning at 8, send an email of the hits by user on the website over the past 24 hours to Management", whereas an Alert would be "Every 15 minutes, check the past 15 minutes worth of hits and if it's over 1 million send an email to the network team that we're potentially being DoS'ed, if it's below 1 million don't do anything". I just made up that example, but hopefully you get the point.

Some of the Premium products (Splunk Enterprise Security and others) also use what are called Correlation Searches. Those might be just considered a special type of search. The previous link explains them, but perhaps doesn't do them justice. I'd add to its definition that a Correlation Search is a "wider net" usually, and leverages multiple data types to hunt for suspicious activity or anomalous behavior. Instead of "Show me how many hits our website got in the past 5 minutes" it might be something more complex, like "Show me the originating IP addresses of hits on our website to pages that don't exist that exceed our 95th percentile over the past week of the hits on pages that don't exist". I was coming up with that one off the top of my head, maybe it got out of hand. 🙂 I found the first few paragraphs of this Splunk Blog entry on Event Correlation gives a reasonable explanation, too. You can write your own Correlation searches too, they're just regular searches with the specific intent of finding suspicious behaviors.

If those get you your answer, great. If not, please let us know a little more specifically what "Rules" you'd like more information about!

Happy Splunking!
-Rich

Munda9021
New Member

Hi Rich, that was definitely very informative. One last thing, where can I find the below information for an alert...

Additional Fields:
• Device type focus: Windows/Linux/Database/Networking (if applicable)
• Date Created
• Last Reviewed
• Rule Creator

Regards
Rahul

0 Karma

Richfez
SplunkTrust
SplunkTrust

Some of that information is contained in the Triggered Alerts pages.

For other items, like Date Created or Last Reviewed, it really depends on what you mean and how things are set up. For instance, you could set up an Alert to email someone, and ONLY email someone. At that point, the fired alert will not show up in the triggered alerts because you didn't tell it to do that.

But there's also an audit trail available and the internal logs will show all sorts of information. You can find them by searching something akin to index=_* but that's possibly not for the faint of heart.

A better possibility on finding that information might be to search splunkbase for the word _internal. At least some of those aps are for displaying user information and activities. Some might either come with canned report displaying information on Alerts that have fired and user activities relating to alerts, or be easily modifiable to do so.

So, sorry for the even more vague answer, but it's really a pretty specific topic that I'm not sure it addressed real well generically anywhere. Hopefully the tips above will get you pointed in the right direction and get you started on whatever you need. Perhaps if you start down this path and end up having specific and somewhat targeted questions you can create a new Question and see what develops from those answers.

0 Karma

Munda9021
New Member

Rich, thank you for taking the time to answer my questions. Appreciate it! I am actually in the middle of creating a document with all the correlation rules which would contain the alert information and reason for it to be triggered.

Thank you
R

0 Karma

Richfez
SplunkTrust
SplunkTrust

That sounds like a fabulous idea. I oughtta do it myself. 🙂

0 Karma

Munda9021
New Member

Please elaborate on both questions! Thanks

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...