Splunk Enterprise Security

Can you help me with a search which would return the sum of multiple count values?

Explorer

Hello,

I am trying to create a dashboard for Splunk Enterprise Security to track incident response. I have a search that spits out a count of all incidents over a 30d period of time. I want to combine some of these events into values indicative of the product that triggers these events. Here is my base search:

| `incident_review` | where _time >= relative_time(now(), "-30d@d") | stats count by rule_name

That search spits out the following results:

rule_name                                count
Cylance Threats                       150
Cylance Exploit Event              28
Account Deleted                       9
Excessive Failed Logins           14

I want to combine the count value for Cylance Threats and Cylance Exploit Event into one total named Cylance and also combine Account Deleted and Excessive Failed logins into one total named AD_Events.

I have tried the eval coalesce command, sum(count) commands, and rename commands as well. I cant seem to get this to work, if anyone could provide some help it would be greatly appreciated. Thanks!

0 Karma
1 Solution

Champion

you need to modify your rule_nameincident_review | where _time >= relative_time(now(), "-30d@d") | eval rule_name=if(rule_name="Cylance Threats" OR rule_name="Cylance Exploit Event","Cyclane", rule_name)|stats count by rule_name

If this gives you the expected count for cyclane all you need to do is modify the eval for the AD_Events use case

View solution in original post

Champion

you need to modify your rule_nameincident_review | where _time >= relative_time(now(), "-30d@d") | eval rule_name=if(rule_name="Cylance Threats" OR rule_name="Cylance Exploit Event","Cyclane", rule_name)|stats count by rule_name

If this gives you the expected count for cyclane all you need to do is modify the eval for the AD_Events use case

View solution in original post

Explorer

That worked! Thanks!
How would I go about doing this multiple times in one search? So I can create a Cylance total, AD_Events total, and a Network_Events total all in one search for example.

0 Karma

Champion

you can do it in one eval...I am now including the one for AD_Events
| eval rule_name=if(rule_name="Cylance Threats" OR rule_name="Cylance Exploit Event","Cyclane", if(rule_name="Account Deleted" OR rule_name="Excessive Failed Logins","AD_Events",rule_name))

Works like an excel IF statement

0 Karma

Explorer

Great! Thank you for you help!

0 Karma