Splunk Enterprise Security

Splunk Enterprise Security: How to view events associated to "Change - Abnormally High Number of Endpoint Changes by User - Rule" source?

mbarbaro
Path Finder

alt text

Hello,

i would like to see the Events associated to this source "Change - Abnormally High Number of Endpoint Changes by User - Rule" How can i view them?

When i click on "Visualize Event" nothing happen.

Thanks

0 Karma

danharvey
Explorer

Apologies to update an old thread but as I was looking into tuning this alert myself I thought I'd take the time to give an answer for the 2k views still wondering:

Take a look at the alerts search string itself, it's using "datamodel=Change_Analysis.All_Changes", so the "All_Changes" dataset of the "Change_Analysis" datamodel. You can view events from this by using either:
| datamodel Change_Analysis All_Changes search
or
| from datamodel:Change_Analysis.All_Changes

I ended up tuning out the audittrail and fs_notification sourcetypes from the datamodel as they were generating noise and not needed in my use case.

You can then of course add fields to the datamodel where needed, and include them in the alert search with something along the lines of
| tstats summariesonly=false allow_old_summaries=true count as change_count values(All_Changes.src) as "Source" values(All_Changes.Operation) as "Operation" values(All_Changes.dest) as "Destination" from datamodel=Change_Analysis.All_Changes...etc

and lastly (and optionally) tack on a | fields - WhereCIX to the end of the search to make the alert a bit more readable.

Hopefully that helps those still wondering

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...