Solved: Re: Splunk Enterprise Security: How to alert on a ...

renjujacob88 · ‎11-12-2016

Hi,

Need help in creating an alert!!

Last week, we had integrated the Symantec to Splunk Enterprise Security. Symantec scans all the devices in our environment and provides us the scan result.
We need a search to throw the list of hosts which are not scanned for the last 7 days.

Sample log format is shown below :Log format is a

Scan_Action= Complete
Begin_Time=2016-11-08 07:00:03
End_Time=2016-11-08 09:02:08
index=sample
sourcetype=scan

The search should be based on the Status_Action and End_Time

SierraX · ‎11-12-2016

Hi,

I would write an alert like this:

index=sample sourcetype=scan Scan_Action=Complete
| stats latest(Scan_Action), latest(End_Time) by host
| eval _time=strptime(End_Time,"%Y-%m-%d %H:%M:%S")
| eval seven_d=if(now()-_time>604800,"Longer than 7 Days",NULL)
| search seven_d=*

With an Alert condition of if number of events greater than 0
You do not write something about scanned hosts I guess every scanned host has an own host entry in splunk.
If not, you have to change the host in second line to the entry with the scanned hosts

Kind Regards
SierraX

View solution in original post

SierraX · ‎11-12-2016

Hi,

I would write an alert like this:

index=sample sourcetype=scan Scan_Action=Complete
| stats latest(Scan_Action), latest(End_Time) by host
| eval _time=strptime(End_Time,"%Y-%m-%d %H:%M:%S")
| eval seven_d=if(now()-_time>604800,"Longer than 7 Days",NULL)
| search seven_d=*

With an Alert condition of if number of events greater than 0
You do not write something about scanned hosts I guess every scanned host has an own host entry in splunk.
If not, you have to change the host in second line to the entry with the scanned hosts

Kind Regards
SierraX

SierraX · ‎11-13-2016

This is the shorter version to write the 2nd eval command... but not so easy to read or change:

| eval seven_d=if(_time<relative_time(now(),"-7d@m"),"Longer than 7 Days",NULL)

is doing the same job.

renjujacob88 · ‎11-13-2016

index=sample sourcetype=scan Scan_Action=Complete   |latest(End_Time) as End_Time by host | eval
_time=strptime(End_Time,"%Y-%m-%d %H:%M:%S") |eval _time=strptime(End_Time,"%Y-%m-%d %H:%M:%S")
 | eval seven_d=if(now()-_time>604800,"Longer than 7 Days",NULL)
 | search seven_d=*

Thanks for the insight, query did work

renjujacob88 · ‎11-13-2016

HI Sierra,

Thanks for helping me out. Wrote down the query with little correction

index=sample sourcetype=scan Scan_Action=Complete   |latest(End_Time) as End_Time by host | eval
_time=strptime(End_Time,"%Y-%m-%d %H:%M:%S") |eval seven_d=(now()-_time) | where seven_d > 604800 | eval d=strptime(seven_d,"%Y-%m-%d %H:%M:%S")  | Table  host d

SierraX · ‎11-13-2016

You try to parse a kind of epoch time.
now() and _time are both epoch time formats means this are seconds beginning from the 1970-01-01 00:00:00.
When I subtract seconds from seconds the result is also seconds.
This is also the reason why I choose 604800 this are 60*60*24*7

One solution could be:
Evaluate d in corresponding to the epoch time to days like
| eval d=strftime(seven_d,"%d Days %H Hours %M Minutes") | table host d
but this is only useful when you say "time between scans is everytime lower than 31 days". On the 32nd Day it would jump to 01 again because seven_d would be 1970-02-01 00:00:00 as formatted
Better way is to use macros to calculate the date back from seconds to days hours and minutes. But I haven't done this more than a year... need time to have a look.

Splunk Enterprise Security: How to alert on a list of hosts that were not scanned by Symantec for the last 7 days?

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Buttercup Games: Further Dashboarding Techniques (Part 5)

Customers Increasingly Choose Splunk for Observability