Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

extreme search: What can I do when then numbers of authenticatoins per source is not normally distributed?

wilhelmF
Path Finder
‎06-09-2017 03:10 AM

Hi,
we are using Enterprise Security. The problem is that we have a few hosts where all the employees login and many machines where only a handful of people login. Therefore we have many failed logins on the main machines with many notable events which basically aren't notable events.

Question
My question: Is there a way to alter the extreme search so that it uses a context which is host dependent i.e. dependent on the overall logins? Or do I need to write a new correlation searches which basically compare the total logins of a machine to the failed logins? Whats the best approach?

Correlation Search
| datamodel("Authentication","Authentication") | stats values(Authentication.tag) as tag,values(Authentication.app) as app,count(eval('Authentication.action'=="failure")) as failure,count(eval('Authentication.action'=="success")) as success by Authentication.src | drop_dm_object_name("Authentication") | search success>0 | xswhere failure from failures_by_src_count_1h in authentication is above medium | settags("access")

Logins per host
alt text

Preview file
1 KB
0 Karma
Reply

wilhelmF
Path Finder
‎06-19-2017 12:59 AM

I learned that by default the context has only one class default. In order to get less notable events I have to create the same context with src classes. Then it works.

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎06-09-2017 10:35 AM

Have you seen this great tutorial on Extreme Search by the inimitable George Starcher? While I know it's not an answer directly, I think it could be of great use in helping to find an answer.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...