Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

extreme search: What can I do when then numbers of authenticatoins per source is not normally distributed?

wilhelmF
Path Finder
‎06-09-2017 03:10 AM

Hi,
we are using Enterprise Security. The problem is that we have a few hosts where all the employees login and many machines where only a handful of people login. Therefore we have many failed logins on the main machines with many notable events which basically aren't notable events.

Question
My question: Is there a way to alter the extreme search so that it uses a context which is host dependent i.e. dependent on the overall logins? Or do I need to write a new correlation searches which basically compare the total logins of a machine to the failed logins? Whats the best approach?

Correlation Search
| datamodel("Authentication","Authentication") | stats values(Authentication.tag) as tag,values(Authentication.app) as app,count(eval('Authentication.action'=="failure")) as failure,count(eval('Authentication.action'=="success")) as success by Authentication.src | drop_dm_object_name("Authentication") | search success>0 | xswhere failure from failures_by_src_count_1h in authentication is above medium | settags("access")

Logins per host
alt text

Preview file
22 KB
0 Karma
Reply

wilhelmF
Path Finder
‎06-19-2017 12:59 AM

I learned that by default the context has only one class default. In order to get less notable events I have to create the same context with src classes. Then it works.

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎06-09-2017 10:35 AM

Have you seen this great tutorial on Extreme Search by the inimitable George Starcher? While I know it's not an answer directly, I think it could be of great use in helping to find an answer.

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...