Splunk Cloud Platform

Suspicious Event Log Service Behavior

Abhirup_10
New Member

I am trying to fine tune one use case "Suspicious Event Log Service Behaviour". Below is the rule logic 

(`wineventlog_security` EventCode=1100) | stats count min(_time) as firstTime max(_time) as lastTime by dest Message EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_event_log_service_behavior_filter` | collect index=asx sourcetype=asx marker="mitre_id=T1070.001, execution_type=adhoc, execution_time=1637664004.675815"

but the rule is currently too noisy. Is it possible to set a bin time(5mins) between stop logging and start logging events. After 5mins if the logging started then I want to ignore the alerts. 

Or I have seen a field named dvc_priority, can we set the alerts only for high or critical? 

Help me with the query please. 

Labels (2)
0 Karma

datadevops
Path Finder
 

Hi there,

1. Implement a 5-Minute Bin Time:

  • Add the bucket command:
search (wineventlog_security EventCode=1100) | 
stats count min(_time) as firstTime max(_time) as lastTime by dest Message EventCode | 
security_content_ctime(firstTime) | 
security_content_ctime(lastTime) | 
suspicious_event_log_service_behavior_filter | 
bucket _time span=5m | 
... (rest of your query)
  • Filter out events with gaps within 5 minutes:
... | 
stats count as event_count by _time dest Message EventCode | 
eval is_first_event = if(_time == earliest(_time), 1, 0) | 
eval is_noisy_event = if(event_count > 1 AND is_first_event == 0, 1, 0) | 
filter not is_noisy_event

2. Filter by dvc_priority:

  • Add a filter condition:
... | 
where dvc_priority = "high" OR dvc_priority = "critical" | 
... (rest of your query)

Additional Tips:

  • Tailor the bin time: Adjust the span value in bucket _time span=5m to match your desired timeframe.
  • Prioritize based on risk: If dvc_priority accurately reflects risk, filtering by it can be effective.
  • Test thoroughly: Implement changes in a non-production environment first to ensure they work as intended.
  • Combine strategies: For optimal results, consider using both bin time and dvc_priority filtering together.

Remember:

  • Replace any placeholders like ... (rest of your query) with the actual remaining parts of your query.
  • Adapt field names and values to match your specific Splunk configuration.

I'm here to assist further if you have any more questions or need additional guidance!

~ If this helps, a Karma upvote would be much appreciated.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

From Data to Insight: Announcing the Winners of the Splunk Dashboard Contest

Hi Splunkers, First off, thank you to everyone who participated in our very first From Data to Insight: The ...

Splunk Developers: Construct Your Future at the .conf26 Builder Bar

Calling all Splunk architects, platform admins, and app developers: the site is open, and the blueprints are ...

Quick connection discovery mode for forwarders

When a Splunk forwarder loses connectivity to its indexers, it does not always reconnect immediately. In many ...