Splunk Enterprise Security

Fine-tune Incident Review - Splunk ES

tbavarva
Path Finder

Hi All,
We are using Splunk ES app in our environment and log sources are integrated to it and I am working on to make the logs CIM compatible.

As of now, we are getting thousands of notable events in Splunk ES incident review dashboard.

While investigating the events, mostly those are false positive.

In the notable events, we could see success count is 320 and failed attempt count is 10 within a day. So it is not the correct behavior of brute force.

I also checked correlation rules associated with each event.

For example, brute force behavior correlation rule, it only considers success events count.

I need help to fine-tune these correlation rules as well as standard threshold count for all correlation rules in Splunk ES.

Could anyone please point me any document available in Splunk Docs which can fulfill my purpose?

If you have fine-tuned these rules in your environment, then you could provide your guidance.

That would be a great help.

Regards,
Tejas

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

All ES correlation searches can be (and should be) edited to suit your environment. In ES, select Configure->Content and choose "Correlation Search" from the Type dropdown. Click on the search you want to modify. Edit the search as necessary to fit your requirements. There should be a where clause containing the threshold for the notable event, but feel free to change any part of the search.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

All ES correlation searches can be (and should be) edited to suit your environment. In ES, select Configure->Content and choose "Correlation Search" from the Type dropdown. Click on the search you want to modify. Edit the search as necessary to fit your requirements. There should be a where clause containing the threshold for the notable event, but feel free to change any part of the search.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

tbavarva
Path Finder

Hi @richgalloway ,
Thanks for your kind response.

base search
| xswhere failure from failures_by_src_count_1d in authentication is above medium

Can you please tell me what are these terms (failure, failures_by_src_count_1d, medium)?

Regards,
Tejas

0 Karma

richgalloway
SplunkTrust
SplunkTrust

IIRC, 'failure' is a field from the base search; 'failures_by_src_count_1d' is a lookup file maintained by the Extreme Search (XS) app; and 'medium' is a fuzzy measurement used by XS. The definition of "medium" will vary over time with the number of failures detected. You can change "medium" to "high" to create a higher threshold.

See https://docs.splunk.com/Documentation/ES/5.3.1/Admin/Extremesearchreference for more information.

BTW, in ES 6.0 Extreme Search is replaced by the Machine Learning Toolkit.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

tbavarva
Path Finder

Thanks a lot @richgalloway That is what I wanted to know. 🙂

0 Karma