Splunk Search

Creating a Splunk Alert Rule for Anomoly's detected




I am trying to create a splunk alert to trigger when it detects an anomaly in the firewall logs based on IDS signature.


I created a pretty good graph that would work well in a dasboard, but I need it to populate a table or stats on when a outlier is found and which signature it is.


This is what I have so far:

index="firewall" sourcetype="threat" tag=attack action=allowed
| bin _time span=4h
| eventstats count(signature) as "Count" by _time
| eventstats values(Count) as valu
| eventstats count(valu) as help by _time
| eventstats median(Count) as med
| eval newValue = abs(Count-med)
| eventstats median(newValue) as medianAbsDev by signature
| eval upper = med+(medianAbsDev*1.1)
| eval lower = 0
| eval isOutlier=if(Count < lower OR Count > upper, 1,0)
| timechart count span=1h count(signature) as CountOfIndicator, eval(values(upper)) as upperl, eval(values(lower)) as lowerl, eval(values(isOutlier)) as Outliers by signature usenull=f useother=f



I just need to be able to identify the outliers in a table so I can have it generate an alert when the query has results.

Labels (4)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...