Splunk Enterprise Security

Splunk Enterprise Security: How to view events associated to "Change - Abnormally High Number of Endpoint Changes by User - Rule" source?

mbarbaro
Path Finder

alt text

Hello,

i would like to see the Events associated to this source "Change - Abnormally High Number of Endpoint Changes by User - Rule" How can i view them?

When i click on "Visualize Event" nothing happen.

Thanks

0 Karma

danharvey
Explorer

Apologies to update an old thread but as I was looking into tuning this alert myself I thought I'd take the time to give an answer for the 2k views still wondering:

Take a look at the alerts search string itself, it's using "datamodel=Change_Analysis.All_Changes", so the "All_Changes" dataset of the "Change_Analysis" datamodel. You can view events from this by using either:
| datamodel Change_Analysis All_Changes search
or
| from datamodel:Change_Analysis.All_Changes

I ended up tuning out the audittrail and fs_notification sourcetypes from the datamodel as they were generating noise and not needed in my use case.

You can then of course add fields to the datamodel where needed, and include them in the alert search with something along the lines of
| tstats summariesonly=false allow_old_summaries=true count as change_count values(All_Changes.src) as "Source" values(All_Changes.Operation) as "Operation" values(All_Changes.dest) as "Destination" from datamodel=Change_Analysis.All_Changes...etc

and lastly (and optionally) tack on a | fields - WhereCIX to the end of the search to make the alert a bit more readable.

Hopefully that helps those still wondering

0 Karma
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...