Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Modifying Correlation search - Substantial Increase in Port Activity (By Destination)

brianyaucy
New Member
‎04-05-2017 08:04 PM

Hi all! I have just started working on Splunk ES.

However I found that when turned on the correlation rule below, there are way too many notable events generated ...

| tstats allow_old_summaries=true count from datamodel=Network_Traffic by All_Traffic.dest_port 
| `drop_dm_object_name("All_Traffic")` 
| localop 
| xswhere count from count_by_dest_port_1d in network_traffic by dest_port is extreme

Some of them were generated solely because of the traffic passing through 2 firewalls ...
Does anyone have idea on modifying this correlation search?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sduff_splunk
Splunk Employee
Splunk Employee
‎04-06-2017 09:32 PM

You mention that you have just started working on Splunk ES. Note that in the search you have provided, xswhere is used, which is an extreme search. The extreme search provides a non-fixed threshold on when to alert, but it needs time to first baseline. During this time, this correlation rule may be very active in creating notables, as it has yet to establish a base line for each destination port.

You can look into the current levels set by extreme search by looking at the extreme search app and selecting the appropraite context.

You could choose replace the xswhere clause with something like the following, but you would lose the huge benefit that extreme search provides.

 | tstats allow_old_summaries=true count from datamodel=Network_Traffic by All_Traffic.dest_port 
 | `drop_dm_object_name("All_Traffic")` 
 | localop 
 | where count > 10

View solution in original post

Reply
Solved! Jump to solution
Solution

sduff_splunk
Splunk Employee
Splunk Employee
‎04-06-2017 09:32 PM

You mention that you have just started working on Splunk ES. Note that in the search you have provided, xswhere is used, which is an extreme search. The extreme search provides a non-fixed threshold on when to alert, but it needs time to first baseline. During this time, this correlation rule may be very active in creating notables, as it has yet to establish a base line for each destination port.

You can look into the current levels set by extreme search by looking at the extreme search app and selecting the appropraite context.

You could choose replace the xswhere clause with something like the following, but you would lose the huge benefit that extreme search provides.

 | tstats allow_old_summaries=true count from datamodel=Network_Traffic by All_Traffic.dest_port 
 | `drop_dm_object_name("All_Traffic")` 
 | localop 
 | where count > 10
Reply
Solved! Jump to solution

kamal_jagga
Contributor
‎10-11-2017 04:47 PM

Thanks...This is very helpful.
It would have been great, if you could have provided some guidance on finding out the current levels using the extreme search as well 🙂

0 Karma
Reply
Solved! Jump to solution

sduff_splunk
Splunk Employee
Splunk Employee
‎11-16-2017 07:02 PM

Grab a copy of the Extreme Search Visualisation app (https://splunkbase.splunk.com/app/2855/) which will visibly illustrate the current levels

There are ways to do it through SPL, but I find the visualisation easier to understand

0 Karma
Reply
Solved! Jump to solution

jwelch_splunk
Splunk Employee
Splunk Employee
‎04-06-2017 06:45 AM

What version of ES and what version of Core are you running?

0 Karma
Reply
Solved! Jump to solution

brianyaucy
New Member
‎04-06-2017 07:15 PM

Splunk core 6.4.1
ES 4.1.0 3118

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...