Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Correlation search - Stream events

Crashfry
Path Finder
‎05-02-2019 10:33 AM

I'll start with the goal of what I am trying to accomplish first. I'd like to be able to detect any source sending data out in the middle of the night (example 11 PM to 6 AM) by means of FTP ( Ports 20,21,69) with a specific amount of data ( x mbs or y bytes ) using our Stream data. I'm not really sure how to build a correlation search to accomplish that but in that, I have a search I've built for a dashboard to attempt to track this which I'll copy below but more so looking to be able to use Enterprise Security to accomplish it.

index=stream_netflow sourcetype="stream:netflow" dest_port=69 OR dest_port=20 OR dest_port=21
| eval totalbytes=(bytes_out)
| eval total_mb=(totalbytes/1024/1024)
| eval total_mb=round(total_mb,2)
| stats sum(total_mb) as "Total MB", count(_raw) as "Event Count" by src_ip, src_port, dest_ip, dest_port
| sort -"Total MB" limit=15

Any help or ideas would be greatly appreciated!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lakshman239
SplunkTrust
SplunkTrust
‎05-03-2019 08:39 AM

You can directly use your search and convert to co-relation search. The below will create a notable only when Total MB is greater than 100. You can change as per your need. You can create using guided mode or directly add the search in the cor.search [ https://docs.splunk.com/Documentation/ES/5.3.0/Tutorials/GuidedCorrelationSearch]. You can then setup throttling to not alert for same host or port etc. for next 1 day or so.

index=stream_netflow sourcetype="stream:netflow" dest_port=69 OR dest_port=20 OR dest_port=21
| eval totalbytes=(bytes_out)
| eval total_mb=(totalbytes/1024/1024)
| eval total_mb=round(total_mb,2)
| stats sum(total_mb) as "Total MB", count(_raw) as "Event Count" by src_ip, src_port, dest_ip, dest_port 
| where  "Total MB" > 100

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lakshman239
SplunkTrust
SplunkTrust
‎05-03-2019 08:39 AM

You can directly use your search and convert to co-relation search. The below will create a notable only when Total MB is greater than 100. You can change as per your need. You can create using guided mode or directly add the search in the cor.search [ https://docs.splunk.com/Documentation/ES/5.3.0/Tutorials/GuidedCorrelationSearch]. You can then setup throttling to not alert for same host or port etc. for next 1 day or so.

index=stream_netflow sourcetype="stream:netflow" dest_port=69 OR dest_port=20 OR dest_port=21
| eval totalbytes=(bytes_out)
| eval total_mb=(totalbytes/1024/1024)
| eval total_mb=round(total_mb,2)
| stats sum(total_mb) as "Total MB", count(_raw) as "Event Count" by src_ip, src_port, dest_ip, dest_port 
| where  "Total MB" > 100
0 Karma
Reply
Solved! Jump to solution

Crashfry
Path Finder
‎05-06-2019 09:48 AM

Just had to rearrange the search to make it work - the where clause had to be above the stats clause. Now it works - thanks for the help.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...