Join the Conversation
- Find Answers
- :
- Splunk Products
- :
- Splunk Enterprise Security
- :
- Re: Correlation search - Stream events
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'll start with the goal of what I am trying to accomplish first. I'd like to be able to detect any source sending data out in the middle of the night (example 11 PM to 6 AM) by means of FTP ( Ports 20,21,69) with a specific amount of data ( x mbs or y bytes ) using our Stream data. I'm not really sure how to build a correlation search to accomplish that but in that, I have a search I've built for a dashboard to attempt to track this which I'll copy below but more so looking to be able to use Enterprise Security to accomplish it.
index=stream_netflow sourcetype="stream:netflow" dest_port=69 OR dest_port=20 OR dest_port=21
| eval totalbytes=(bytes_out)
| eval total_mb=(totalbytes/1024/1024)
| eval total_mb=round(total_mb,2)
| stats sum(total_mb) as "Total MB", count(_raw) as "Event Count" by src_ip, src_port, dest_ip, dest_port
| sort -"Total MB" limit=15
Any help or ideas would be greatly appreciated!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can directly use your search and convert to co-relation search. The below will create a notable only when Total MB is greater than 100. You can change as per your need. You can create using guided mode or directly add the search in the cor.search [ https://docs.splunk.com/Documentation/ES/5.3.0/Tutorials/GuidedCorrelationSearch]. You can then setup throttling to not alert for same host or port etc. for next 1 day or so.
index=stream_netflow sourcetype="stream:netflow" dest_port=69 OR dest_port=20 OR dest_port=21
| eval totalbytes=(bytes_out)
| eval total_mb=(totalbytes/1024/1024)
| eval total_mb=round(total_mb,2)
| stats sum(total_mb) as "Total MB", count(_raw) as "Event Count" by src_ip, src_port, dest_ip, dest_port
| where "Total MB" > 100
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can directly use your search and convert to co-relation search. The below will create a notable only when Total MB is greater than 100. You can change as per your need. You can create using guided mode or directly add the search in the cor.search [ https://docs.splunk.com/Documentation/ES/5.3.0/Tutorials/GuidedCorrelationSearch]. You can then setup throttling to not alert for same host or port etc. for next 1 day or so.
index=stream_netflow sourcetype="stream:netflow" dest_port=69 OR dest_port=20 OR dest_port=21
| eval totalbytes=(bytes_out)
| eval total_mb=(totalbytes/1024/1024)
| eval total_mb=round(total_mb,2)
| stats sum(total_mb) as "Total MB", count(_raw) as "Event Count" by src_ip, src_port, dest_ip, dest_port
| where "Total MB" > 100
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just had to rearrange the search to make it work - the where clause had to be above the stats clause. Now it works - thanks for the help.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
