Splunk Cloud Platform
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Suspicious Event Log Service Behavior

Abhirup_10
New Member
‎01-25-2024 04:29 PM

I am trying to fine tune one use case "Suspicious Event Log Service Behaviour". Below is the rule logic 

(`wineventlog_security` EventCode=1100) | stats count min(_time) as firstTime max(_time) as lastTime by dest Message EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_event_log_service_behavior_filter` | collect index=asx sourcetype=asx marker="mitre_id=T1070.001, execution_type=adhoc, execution_time=1637664004.675815"

but the rule is currently too noisy. Is it possible to set a bin time(5mins) between stop logging and start logging events. After 5mins if the logging started then I want to ignore the alerts. 

Or I have seen a field named dvc_priority, can we set the alerts only for high or critical? 

Help me with the query please. 

Labels (2)
0 Karma
Reply

datadevops
Path Finder
‎01-28-2024 02:05 AM
 

Hi there,

1. Implement a 5-Minute Bin Time:

  • Add the bucket command:
search (wineventlog_security EventCode=1100) | 
stats count min(_time) as firstTime max(_time) as lastTime by dest Message EventCode | 
security_content_ctime(firstTime) | 
security_content_ctime(lastTime) | 
suspicious_event_log_service_behavior_filter | 
bucket _time span=5m | 
... (rest of your query)
  • Filter out events with gaps within 5 minutes:
... | 
stats count as event_count by _time dest Message EventCode | 
eval is_first_event = if(_time == earliest(_time), 1, 0) | 
eval is_noisy_event = if(event_count > 1 AND is_first_event == 0, 1, 0) | 
filter not is_noisy_event

2. Filter by dvc_priority:

  • Add a filter condition:
... | 
where dvc_priority = "high" OR dvc_priority = "critical" | 
... (rest of your query)

Additional Tips:

  • Tailor the bin time: Adjust the span value in bucket _time span=5m to match your desired timeframe.
  • Prioritize based on risk: If dvc_priority accurately reflects risk, filtering by it can be effective.
  • Test thoroughly: Implement changes in a non-production environment first to ensure they work as intended.
  • Combine strategies: For optimal results, consider using both bin time and dvc_priority filtering together.

Remember:

  • Replace any placeholders like ... (rest of your query) with the actual remaining parts of your query.
  • Adapt field names and values to match your specific Splunk configuration.

I'm here to assist further if you have any more questions or need additional guidance!

~ If this helps, a Karma upvote would be much appreciated.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...