Re: Potential Correlation Searches SPL

AL3Z · ‎03-27-2023

Hi,

Looking for SPL like within a brief span of time, say two hours, a user prompts alerts for both PDM and encrypted files.

thanks

gcusello · ‎03-27-2023

Hi @AL3Z,

probably you should try to better describe your requirement!

whick data source are you speaking?

why do you speak of Correlation Search?

did you checked if in Splunk baseline there's some Use Case for your technology?

did you checked if in Splunk Security essentials App there's some Use Case for your technology?

Ciao.

Giuseppe

AL3Z · ‎03-27-2023

@gcusello
Hi,

My requirement to find the where a user triggers both PDM and Encrypted file alerts in a short period of time (like 2 hours)
Datasource is of DLP

Ciao.

gcusello · ‎03-27-2023

Hi @AL3Z,

could you share some sample of these two kind of alerts?

indicating the correlation key between them?

Ciao.

Giuseppe

AL3Z · ‎03-27-2023

..

AL3Z · ‎03-27-2023

Pls use above sample event for this use case
when User triggers diferent PDM alerts in a short period of time (EX Block on Gmail and block on external apps)...

gcusello · ‎03-27-2023

hi @AL3Z,

this is one alert sample and the other?

could you highlight in bold the correlation key to use?

Ciao.

Giuseppe

AL3Z · ‎03-27-2023

@gcusello

Please find the sample event key points highlighted with red colour

gcusello · ‎03-27-2023

Hi @AL3Z,

this is one kind of alert (PDM I suppose), can you share a sample of the other kind of alert or does it have the same format and only different message?

Ciao.

Giuseppe

AL3Z · ‎03-28-2023

@gcusello could you brief about PDM abbrevation and concept

gcusello · ‎03-28-2023

Hi @AL3Z,

PDM is an acronym that I don't know and that you used.

In few words, you have to:

identify the rules to filter only the events you need in both data sources (e.g. index and sourcetype), for this reason I asked two samples of data, one for each data source to correlate,
then identify a correlation key (e.g. user), a common field in both the data sources, if they have a different file name you have to rename one of them to have the same,
and then define the rules (e.g. user present in both the data sources) to apply a final filter,

in this way , you should have something like this, to find events where user is present in both data sources:

(index=index1 sourcetype=sourcetype1) OR (index=index2 sourcetype=sourcetype2)
| stats dc(index) AS index_count values(index) AS index BY user
| where index_count=2

Ciao.

Giuseppe

AL3Z · ‎04-03-2023

@gcusello ,

Hi,

You're on different track my requirement is if single user triggers an alert say alert_name other than pdm in between 2 hours more than 3 times .

How could we achieve it using eval .

Thanks 👍

gcusello · ‎04-03-2023

Hi @AL3Z,

so the condition is triggering an alert, not that the alert must be in both the indexes,

in this case, please try the same with a different final condition:

(index=index1 sourcetype=sourcetype1) OR (index=index2 sourcetype=sourcetype2)
| stats dc(index) AS index_count values(index) AS index values(pdm) AS pdm BY user
| where index_count=1 AND index=index1

the thing that I don't understand is what's the condition for pdm.

Ciao.

Giuseppe

What are some potential correlation search SPL?

access control

encryption

LDAP

SAML

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

Improve Data Pipelines Using Splunk Data Management

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?