Splunk Enterprise Security

Can you help me build a query which would generate a list of enabled usecases in Splunk Enterprise Security App along with the last triggered time?

KumarGB
Explorer

Hey Guys,

Could anyone suggest me a query for the below scenario.

I need a Splunk query to show the list of enabled usecases in Enterprise Security App along with the last triggered time of the usecase.

To check the enabled usecases I'm using the below query.

| rest splunk_server=local count=0 /services/saved/searches
| search disabled=0 AND ( action.risk=1 OR action.notable=1 ) | table title

Along with this, I need the last triggered time of the use case in the same table.

Is it possible? if yes kindly help me by posting the query.

0 Karma
1 Solution

adonio
Ultra Champion

you are half way there.
you can check the last time a notable was created by querying the "notable" index, many options here to do so, examples:
index = notable | dedup search_name | table search_name _time
index = notable | stats max(_time) as last_notable by search_name
note: pay attention also to the source field in the notable index.

now all it takes is to put both queries together, again, many ways to go here too, here is one example with join:

index="notable"
| dedup search_name 
| stats max(_time) as last_hit by search_name
| join  search_name [
                      | rest splunk_server=local count=0 /services/saved/searches
                      | search disabled=0 AND ( action.risk=1 OR action.notable=1 )
                      | rename title as search_name 
                      | table search_name
                    ]
| eval last_hit_human = strftime(last_hit, "%c")

screenshot:
alt text

hope it helps

View solution in original post

0 Karma

adonio
Ultra Champion

you are half way there.
you can check the last time a notable was created by querying the "notable" index, many options here to do so, examples:
index = notable | dedup search_name | table search_name _time
index = notable | stats max(_time) as last_notable by search_name
note: pay attention also to the source field in the notable index.

now all it takes is to put both queries together, again, many ways to go here too, here is one example with join:

index="notable"
| dedup search_name 
| stats max(_time) as last_hit by search_name
| join  search_name [
                      | rest splunk_server=local count=0 /services/saved/searches
                      | search disabled=0 AND ( action.risk=1 OR action.notable=1 )
                      | rename title as search_name 
                      | table search_name
                    ]
| eval last_hit_human = strftime(last_hit, "%c")

screenshot:
alt text

hope it helps

0 Karma

KumarGB
Explorer

This Works Perfect. Thanks @adonio

0 Karma

adonio
Ultra Champion

when you say "triggered" do you mean the search was executed or you mean the search was executed and found a notable event?

0 Karma

KumarGB
Explorer

I mean the time when the search was executed and the notable was created.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...