Splunk Enterprise Security

SplunkES: List Enabled Notable Activity Last 90 Days

starcher
SplunkTrust
SplunkTrust

Handy search for a dashboard

earliest=-90d@d `notable` 
| eval isSuppressed=if(match(eventtype,"Suppression"),1,0)
| stats count(eval(like(urgency,"informational"))) as informational_count count(eval(like(urgency,"low"))) as low_count count(eval(like(urgency,"medium"))) as medium_count count(eval(like(urgency,"high"))) as high_count count(eval(like(urgency,"critical"))) as critical_count, sum(isSuppressed) as suppression_count, sparkline(count) as activity by rule_name 
| join rule_name 
    [| rest splunk_server=local count=0 /services/saved/searches 
    | where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") 
    | rename action.correlationsearch.label as rule_name action.risk.param._risk as risk_json 
    | eval status = if(disabled=="1","disabled","enabled") 
    | fields rule_name status
        ] 
| search status!=disabled 
| eval informational_count = if(isnull(informational_count),0,informational_count), low_count = if(isnull(low_count),0,low_count), medium_count = if(isnull(medium_count),0,medium_count), high_count = if(isnull(high_count),0,high_count), critical_count = if(isnull(critical_count),0,critical_count) , suppression_count = if(isnull(suppression_count),0,suppression_count) 
| fields rule_name activity suppression_count informational_count low_count medium_count high_count critical_count 
| addtotals critical_count high_count medium_count low_count informational_count
| sort - Total critical_count high_count medium_count low_count informational_count
| rename Total as total_reported
Labels (1)
Get Updates on the Splunk Community!

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...