Hi All,
We are using Splunk ES app in our environment and log sources are integrated to it and I am working on to make the logs CIM compatible.
As of now, we are getting thousands of notable events in Splunk ES incident review dashboard.
While investigating the events, mostly those are false positive.
In the notable events, we could see success count is 320 and failed attempt count is 10 within a day. So it is not the correct behavior of brute force.
I also checked correlation rules associated with each event.
For example, brute force behavior correlation rule, it only considers success events count.
I need help to fine-tune these correlation rules as well as standard threshold count for all correlation rules in Splunk ES.
Could anyone please point me any document available in Splunk Docs which can fulfill my purpose?
If you have fine-tuned these rules in your environment, then you could provide your guidance.
That would be a great help.
Regards,
Tejas
All ES correlation searches can be (and should be) edited to suit your environment. In ES, select Configure->Content and choose "Correlation Search" from the Type dropdown. Click on the search you want to modify. Edit the search as necessary to fit your requirements. There should be a where
clause containing the threshold for the notable event, but feel free to change any part of the search.
All ES correlation searches can be (and should be) edited to suit your environment. In ES, select Configure->Content and choose "Correlation Search" from the Type dropdown. Click on the search you want to modify. Edit the search as necessary to fit your requirements. There should be a where
clause containing the threshold for the notable event, but feel free to change any part of the search.
Hi @richgalloway ,
Thanks for your kind response.
base search
| xswhere failure from failures_by_src_count_1d in authentication is above medium
Can you please tell me what are these terms (failure, failures_by_src_count_1d, medium)?
Regards,
Tejas
IIRC, 'failure' is a field from the base search; 'failures_by_src_count_1d' is a lookup file maintained by the Extreme Search (XS) app; and 'medium' is a fuzzy measurement used by XS. The definition of "medium" will vary over time with the number of failures detected. You can change "medium" to "high" to create a higher threshold.
See https://docs.splunk.com/Documentation/ES/5.3.1/Admin/Extremesearchreference for more information.
BTW, in ES 6.0 Extreme Search is replaced by the Machine Learning Toolkit.
Thanks a lot @richgalloway That is what I wanted to know. 🙂