Splunk Enterprise Security

Can you help me build a query which would generate a list of enabled usecases in Splunk Enterprise Security App along with the last triggered time?

KumarGB
Explorer

Hey Guys,

Could anyone suggest me a query for the below scenario.

I need a Splunk query to show the list of enabled usecases in Enterprise Security App along with the last triggered time of the usecase.

To check the enabled usecases I'm using the below query.

| rest splunk_server=local count=0 /services/saved/searches
| search disabled=0 AND ( action.risk=1 OR action.notable=1 ) | table title

Along with this, I need the last triggered time of the use case in the same table.

Is it possible? if yes kindly help me by posting the query.

0 Karma
1 Solution

adonio
Ultra Champion

you are half way there.
you can check the last time a notable was created by querying the "notable" index, many options here to do so, examples:
index = notable | dedup search_name | table search_name _time
index = notable | stats max(_time) as last_notable by search_name
note: pay attention also to the source field in the notable index.

now all it takes is to put both queries together, again, many ways to go here too, here is one example with join:

index="notable"
| dedup search_name 
| stats max(_time) as last_hit by search_name
| join  search_name [
                      | rest splunk_server=local count=0 /services/saved/searches
                      | search disabled=0 AND ( action.risk=1 OR action.notable=1 )
                      | rename title as search_name 
                      | table search_name
                    ]
| eval last_hit_human = strftime(last_hit, "%c")

screenshot:
alt text

hope it helps

View solution in original post

0 Karma

adonio
Ultra Champion

you are half way there.
you can check the last time a notable was created by querying the "notable" index, many options here to do so, examples:
index = notable | dedup search_name | table search_name _time
index = notable | stats max(_time) as last_notable by search_name
note: pay attention also to the source field in the notable index.

now all it takes is to put both queries together, again, many ways to go here too, here is one example with join:

index="notable"
| dedup search_name 
| stats max(_time) as last_hit by search_name
| join  search_name [
                      | rest splunk_server=local count=0 /services/saved/searches
                      | search disabled=0 AND ( action.risk=1 OR action.notable=1 )
                      | rename title as search_name 
                      | table search_name
                    ]
| eval last_hit_human = strftime(last_hit, "%c")

screenshot:
alt text

hope it helps

0 Karma

KumarGB
Explorer

This Works Perfect. Thanks @adonio

0 Karma

adonio
Ultra Champion

when you say "triggered" do you mean the search was executed or you mean the search was executed and found a notable event?

0 Karma

KumarGB
Explorer

I mean the time when the search was executed and the notable was created.

0 Karma
Get Updates on the Splunk Community!

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...