Splunk Enterprise Security

Splunk Enterprise Security: How to modify extreme search context count_30m to 1 week?



How to change the Splunk ES context count_30m to 1 week and only limited to Deny traffic? I need to create correlation search for deny traffic exceed the average of previous week DENY Traffic Volume.


0 Karma

Splunk Employee
Splunk Employee

There are a couple of moving parts here that will need to be addressed. I am going to use the Unusual Amount of Network Activity correlation search as an example since I am not entirely sure what you are using.

There are two components to this search, a context generation search that is running in the background and the actual correlation search. As always I would recommend making a copy of both so if you need to revert back to the earlier one, you can do that.

First thing I want to do is get my context generation searches set for the 1 week context as well as the deny. There are two of them that tie to my example, Network - Traffic Volume Per 30m - Context Gen and Network - Traffic Volume Per 30m src - Context Gen.

These searches have tstats running in them that are giving me counts on windows that are 30 min each and do my scoring for extreme search. I will want to modify these searches to change their time span to the seven days you mentioned and I want to change from searching All Traffic to just Blocked Traffic. Based on that, the root search for the context gen would need to look something like this:
| tstats summariesonly count as total_count from datamodel=Network_Traffic where nodename=All_Traffic.Traffic_By_Action.Blocked_Traffic by _time span=7d
I would also want to change my context name in the search. Currently it is xsupdateddcontext name=count_30m That name is what you will carry across to the actual correlation search.

Once that has been done for both context gens, you can look at the correlation search.
The basic correlation search will need to be modified to accommodate the blocked traffic using the where clause similar to the context gen
where nodename=All_Traffic.Traffic_By_Action.Blocked_Traffic

You may want to modify the dc(All_Traffic.src) though the Blocked Traffic should do that for you already, but you may want to test.

You will also want to modify your XSWHERE statements and put the names into it that you created with your context gen. The defaults are the count_30m and src_count_30m so they need to be adjusted.

From there, I would test and validate but I think this gets you what you are looking for.

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...