Splunk Cloud Platform

Suspicious Event Log Service Behavior

Abhirup_10
New Member

I am trying to fine tune one use case "Suspicious Event Log Service Behaviour". Below is the rule logic 

(`wineventlog_security` EventCode=1100) | stats count min(_time) as firstTime max(_time) as lastTime by dest Message EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_event_log_service_behavior_filter` | collect index=asx sourcetype=asx marker="mitre_id=T1070.001, execution_type=adhoc, execution_time=1637664004.675815"

but the rule is currently too noisy. Is it possible to set a bin time(5mins) between stop logging and start logging events. After 5mins if the logging started then I want to ignore the alerts. 

Or I have seen a field named dvc_priority, can we set the alerts only for high or critical? 

Help me with the query please. 

Labels (2)
0 Karma

datadevops
Path Finder
 

Hi there,

1. Implement a 5-Minute Bin Time:

  • Add the bucket command:
search (wineventlog_security EventCode=1100) | 
stats count min(_time) as firstTime max(_time) as lastTime by dest Message EventCode | 
security_content_ctime(firstTime) | 
security_content_ctime(lastTime) | 
suspicious_event_log_service_behavior_filter | 
bucket _time span=5m | 
... (rest of your query)
  • Filter out events with gaps within 5 minutes:
... | 
stats count as event_count by _time dest Message EventCode | 
eval is_first_event = if(_time == earliest(_time), 1, 0) | 
eval is_noisy_event = if(event_count > 1 AND is_first_event == 0, 1, 0) | 
filter not is_noisy_event

2. Filter by dvc_priority:

  • Add a filter condition:
... | 
where dvc_priority = "high" OR dvc_priority = "critical" | 
... (rest of your query)

Additional Tips:

  • Tailor the bin time: Adjust the span value in bucket _time span=5m to match your desired timeframe.
  • Prioritize based on risk: If dvc_priority accurately reflects risk, filtering by it can be effective.
  • Test thoroughly: Implement changes in a non-production environment first to ensure they work as intended.
  • Combine strategies: For optimal results, consider using both bin time and dvc_priority filtering together.

Remember:

  • Replace any placeholders like ... (rest of your query) with the actual remaining parts of your query.
  • Adapt field names and values to match your specific Splunk configuration.

I'm here to assist further if you have any more questions or need additional guidance!

~ If this helps, a Karma upvote would be much appreciated.

0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...