Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Correlation Search question (Enterprise Security)

echojacques
Builder
‎02-19-2014 03:34 PM

Hello,

This is a correlation search included with Enterprise Security that detects and alerts for potential spyware activity:

| `src_dest_tracker("allowed")` | lookup local=true ip_spyware_lookup src OUTPUTNEW src_ip as src_spyware_ip,src_description,src_is_spyware | lookup local=true ip_spyware_lookup dest OUTPUTNEW dest_ip as dest_spyware_ip,dest_description,dest_is_spyware | search dest_is_spyware=true OR src_is_spyware=true | eval spyware_ip=if(dest_is_spyware=="true",dest_spyware_ip,spyware_ip) | eval spyware_ip=if(src_is_spyware=="true",src_spyware_ip,spyware_ip) | eval spyware_description=if(dest_is_spyware=="true",dest_description,spyware_description) | eval spyware_description=if(src_is_spyware=="true",src_description,spyware_description) | fields + sourcetype,src,dest,spyware_ip,spyware_description

My question is, is there a way to tweak this search so that it only alerts when there are more than X number of events? In other words, let me know when an IP address triggers this rule 5 times (within a 24 hour period).

I thought it was as simple as adding: "| search count>5" to the end of the search string but it didn't work.

Thanks for any tips!

Reply
1 Solution
Solved! Jump to solution
Solution

jcoates_splunk
Splunk Employee
Splunk Employee
‎02-19-2014 03:59 PM

Hi,

First and obligatory answer is upgrade, 3.0's version is much easier to read because of architectural improvements.... That said, I'd put stats count(spyware_ip) as spyware_count by spyware_ip | search spyware_count>5 at the end.

View solution in original post

Reply
Solved! Jump to solution
Solution

jcoates_splunk
Splunk Employee
Splunk Employee
‎02-19-2014 03:59 PM

Hi,

First and obligatory answer is upgrade, 3.0's version is much easier to read because of architectural improvements.... That said, I'd put stats count(spyware_ip) as spyware_count by spyware_ip | search spyware_count>5 at the end.

Reply
Solved! Jump to solution

echojacques
Builder
‎02-20-2014 01:31 PM

This worked, thanks for the help!

0 Karma
Reply
Solved! Jump to solution

echojacques
Builder
‎02-19-2014 04:05 PM

Hi, thanks, I will try this in the morning and let you know the results!

... I did try the upgrade to ES 3 but had a few issues so I had to rollback, but it's good to know that the correlation searches are more efficient in ES 3.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...