Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

extreme search: What can I do when then numbers of authenticatoins per source is not normally distributed?

wilhelmF
Path Finder
‎06-09-2017 03:10 AM

Hi,
we are using Enterprise Security. The problem is that we have a few hosts where all the employees login and many machines where only a handful of people login. Therefore we have many failed logins on the main machines with many notable events which basically aren't notable events.

Question
My question: Is there a way to alter the extreme search so that it uses a context which is host dependent i.e. dependent on the overall logins? Or do I need to write a new correlation searches which basically compare the total logins of a machine to the failed logins? Whats the best approach?

Correlation Search
| datamodel("Authentication","Authentication") | stats values(Authentication.tag) as tag,values(Authentication.app) as app,count(eval('Authentication.action'=="failure")) as failure,count(eval('Authentication.action'=="success")) as success by Authentication.src | drop_dm_object_name("Authentication") | search success>0 | xswhere failure from failures_by_src_count_1h in authentication is above medium | settags("access")

Logins per host
alt text

Preview file
22 KB
0 Karma
Reply

wilhelmF
Path Finder
‎06-19-2017 12:59 AM

I learned that by default the context has only one class default. In order to get less notable events I have to create the same context with src classes. Then it works.

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎06-09-2017 10:35 AM

Have you seen this great tutorial on Extreme Search by the inimitable George Starcher? While I know it's not an answer directly, I think it could be of great use in helping to find an answer.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Search APIを使えば調査過程が残せます

   このゲストブログは、JCOM株式会社の情報セキュリティ本部・専任部長である渡辺慎太郎氏によって執筆されました。 Note: This article is published in both Japanese ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...