Creating a Splunk Alert Rule for Anomoly's detecte...

CyberCyberSec · ‎10-14-2020

Hello,

I am trying to create a splunk alert to trigger when it detects an anomaly in the firewall logs based on IDS signature.

I created a pretty good graph that would work well in a dasboard, but I need it to populate a table or stats on when a outlier is found and which signature it is.

This is what I have so far:

index="firewall" sourcetype="threat" tag=attack action=allowed
| bin _time span=4h
| eventstats count(signature) as "Count" by _time
| eventstats values(Count) as valu
| eventstats count(valu) as help by _time
| eventstats median(Count) as med
| eval newValue = abs(Count-med)
| eventstats median(newValue) as medianAbsDev by signature
| eval upper = med+(medianAbsDev*1.1)
| eval lower = 0
| eval isOutlier=if(Count < lower OR Count > upper, 1,0)
| timechart count span=1h count(signature) as CountOfIndicator, eval(values(upper)) as upperl, eval(values(lower)) as lowerl, eval(values(isOutlier)) as Outliers by signature usenull=f useother=f
|filldown

I just need to be able to identify the outliers in a table so I can have it generate an alert when the query has results.

Creating a Splunk Alert Rule for Anomoly's detected

chart

stats

table

timechart

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Splunk Community Badges!

How to find the worst searches in your Splunk environment and how to fix them

Share Your Feedback: On Admin Config Service (ACS)!

Join the Conversation