I'll start with the goal of what I am trying to accomplish first. I'd like to be able to detect any source sending data out in the middle of the night (example 11 PM to 6 AM) by means of FTP ( Ports 20,21,69) with a specific amount of data ( x mbs or y bytes ) using our Stream data. I'm not really sure how to build a correlation search to accomplish that but in that, I have a search I've built for a dashboard to attempt to track this which I'll copy below but more so looking to be able to use Enterprise Security to accomplish it.
index=stream_netflow sourcetype="stream:netflow" dest_port=69 OR dest_port=20 OR dest_port=21
| eval totalbytes=(bytes_out)
| eval total_mb=(totalbytes/1024/1024)
| eval total_mb=round(total_mb,2)
| stats sum(total_mb) as "Total MB", count(_raw) as "Event Count" by src_ip, src_port, dest_ip, dest_port
| sort -"Total MB" limit=15
Any help or ideas would be greatly appreciated!
You can directly use your search and convert to co-relation search. The below will create a notable only when Total MB is greater than 100. You can change as per your need. You can create using guided mode or directly add the search in the cor.search [ https://docs.splunk.com/Documentation/ES/5.3.0/Tutorials/GuidedCorrelationSearch]. You can then setup throttling to not alert for same host or port etc. for next 1 day or so.
index=stream_netflow sourcetype="stream:netflow" dest_port=69 OR dest_port=20 OR dest_port=21
| eval totalbytes=(bytes_out)
| eval total_mb=(totalbytes/1024/1024)
| eval total_mb=round(total_mb,2)
| stats sum(total_mb) as "Total MB", count(_raw) as "Event Count" by src_ip, src_port, dest_ip, dest_port
| where "Total MB" > 100
You can directly use your search and convert to co-relation search. The below will create a notable only when Total MB is greater than 100. You can change as per your need. You can create using guided mode or directly add the search in the cor.search [ https://docs.splunk.com/Documentation/ES/5.3.0/Tutorials/GuidedCorrelationSearch]. You can then setup throttling to not alert for same host or port etc. for next 1 day or so.
index=stream_netflow sourcetype="stream:netflow" dest_port=69 OR dest_port=20 OR dest_port=21
| eval totalbytes=(bytes_out)
| eval total_mb=(totalbytes/1024/1024)
| eval total_mb=round(total_mb,2)
| stats sum(total_mb) as "Total MB", count(_raw) as "Event Count" by src_ip, src_port, dest_ip, dest_port
| where "Total MB" > 100
Just had to rearrange the search to make it work - the where clause had to be above the stats clause. Now it works - thanks for the help.