Splunk Enterprise Security

i need search query for status change hear when tha same status will come 2 times it will ignore 2nd event if other status will come it will generate the alert

mahendra559
New Member

event status : False positive (25 may)
False positive (24 may)
Investigating (23 may)
Investigating (22 may)
Service degradation (21 may)

Hear status changed Service degradation to investigating then alert wants to raised
then status changed investigating to investigating then alert is not raised.
then status changed from investigating to false positive then alert wants raised.

dash board query:
index="mail_activity" sourcetype="service:message" DisplayName="Exchange Online"
| eval myTimeNewEpoch=strptime(UpdatedTime,"%Y-%m-%dT%H:%M:%S")
| eval UpdatedTime=strftime(myTimeNewEpoch,"%Y-%m-%d %H:%M:%S")
| table LastUpdatedTime DisplayName Status Description
| rename UpdatedTime as Time DisplayName as Application
| sort -Time

please help me with the query to create the alert

Thanks in advance

Labels (1)
0 Karma
1 Solution

to4kawa
Ultra Champion
index="mail_activity" sourcetype="service:message" DisplayName="Exchange Online"
| eval _time=strptime(UpdatedTime,"%Y-%m-%dT%H:%M:%S")
| rename DisplayName as Application
| table _time Application Status Description
| sort _time
| autoregress Status as Status_p
| where (Status="investigating" AND Status_p="Service degradation") OR (Status="false positive" AND Status_p="investigating")
| eval _time=strftime(_time, "%F %T")

If event count > 0 , fire alert.

View solution in original post

0 Karma

to4kawa
Ultra Champion
index="mail_activity" sourcetype="service:message" DisplayName="Exchange Online"
| eval _time=strptime(UpdatedTime,"%Y-%m-%dT%H:%M:%S")
| rename DisplayName as Application
| table _time Application Status Description
| sort _time
| autoregress Status as Status_p
| where (Status="investigating" AND Status_p="Service degradation") OR (Status="false positive" AND Status_p="investigating")
| eval _time=strftime(_time, "%F %T")

If event count > 0 , fire alert.

0 Karma

mahendra559
New Member

Tanks for your answer to4kawa but its not giving any results

hear my requirement is:
if 22nd and 23rd is same status then it will pick 22nd event only
and then 23rd and 24th are different status at that time it will pick 23rd and 24th events as well
and 24th, 25th same status so it will pick 24th one only
(simply when ever status change at that time it will pick the event other wise it will not pick the same event again and again )

0 Karma

to4kawa
Ultra Champion

its not giving any results
What's this?

You are going to fire alert at status changing. aren't you?

Alerting and pick events are different. which do you want?

0 Karma

mahendra559
New Member

Actual requirement is when status field values are changed from one to another alert needs to be triggered

below are the status field values

Extended recovery
Investigation suspended
False positive
Investigating
Service degradation
Service restored
Restoring service
Post-incident report published

Ex: if status field value from false positive to investigating then alert should be triggered
If field value false positive to false positive then no alert should be triggered.

Thanks in advance

0 Karma

to4kawa
Ultra Champion

| where (Status="investigating" AND Status_p="Service degradation") OR (Status="false positive" AND Status_p="investigating")

| where Status!=Status_p

0 Karma

mahendra559
New Member

Hear my condition is we have a 8 status values is if status1 is the latest event then it compare with the up coming events like status2,status3 etc.... status8

If the latest status1==up coming status then no alarm raise

If the new(up coming status) latest status1!=up coming status then alarm raise

(every time it compare with the latest event to up coming event if latest and up coming events are same no alarm then alarm)

Thanks In Advance

0 Karma

mahendra559
New Member

Thanks for your answer but it didn't give any statistic value but it has given results in verbose mode i think we need to compare with latest status value and before that latest status value
if latest status and before latest value will be same no alarm raise if it is different alarm should be raise

EX: latest status=Extended recovery
before latest status= Investigation suspended
Extended recovery==Extended recovery (no alert)
Extended recovery== Investigation suspended (alert raise)

(Every time it pick the latest event and compare with all other event values if latest and coming events are same no alert , if latest and coming events are different then raise alert )

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...