Splunk Enterprise Security

Modifying Correlation search - Substantial Increase in Port Activity (By Destination)

New Member

Hi all! I have just started working on Splunk ES.

However I found that when turned on the correlation rule below, there are way too many notable events generated ...

| tstats allow_old_summaries=true count from datamodel=Network_Traffic by All_Traffic.dest_port 
| `drop_dm_object_name("All_Traffic")` 
| localop 
| xswhere count from count_by_dest_port_1d in network_traffic by dest_port is extreme

Some of them were generated solely because of the traffic passing through 2 firewalls ...
Does anyone have idea on modifying this correlation search?

0 Karma
1 Solution

Splunk Employee
Splunk Employee

You mention that you have just started working on Splunk ES. Note that in the search you have provided, xswhere is used, which is an extreme search. The extreme search provides a non-fixed threshold on when to alert, but it needs time to first baseline. During this time, this correlation rule may be very active in creating notables, as it has yet to establish a base line for each destination port.

You can look into the current levels set by extreme search by looking at the extreme search app and selecting the appropraite context.

You could choose replace the xswhere clause with something like the following, but you would lose the huge benefit that extreme search provides.

 | tstats allow_old_summaries=true count from datamodel=Network_Traffic by All_Traffic.dest_port 
 | `drop_dm_object_name("All_Traffic")` 
 | localop 
 | where count > 10

View solution in original post

Splunk Employee
Splunk Employee

You mention that you have just started working on Splunk ES. Note that in the search you have provided, xswhere is used, which is an extreme search. The extreme search provides a non-fixed threshold on when to alert, but it needs time to first baseline. During this time, this correlation rule may be very active in creating notables, as it has yet to establish a base line for each destination port.

You can look into the current levels set by extreme search by looking at the extreme search app and selecting the appropraite context.

You could choose replace the xswhere clause with something like the following, but you would lose the huge benefit that extreme search provides.

 | tstats allow_old_summaries=true count from datamodel=Network_Traffic by All_Traffic.dest_port 
 | `drop_dm_object_name("All_Traffic")` 
 | localop 
 | where count > 10

View solution in original post

Contributor

Thanks...This is very helpful.
It would have been great, if you could have provided some guidance on finding out the current levels using the extreme search as well 🙂

0 Karma

Splunk Employee
Splunk Employee

Grab a copy of the Extreme Search Visualisation app (https://splunkbase.splunk.com/app/2855/) which will visibly illustrate the current levels

There are ways to do it through SPL, but I find the visualisation easier to understand

0 Karma

Splunk Employee
Splunk Employee

What version of ES and what version of Core are you running?

0 Karma

New Member

Splunk core 6.4.1
ES 4.1.0 3118

0 Karma