Re: How do we enhance the dlp search ?

AL3Z · ‎05-18-2023

Hi,

I need a help in enhancing the below search if users triggers one or more of these policies:
Index=dlp sourcetype=dlpalerts

policy=" All Apps " OR policy=" Gmail" OR policy=" GDrive"

AND ```one or more of these policies```

policy="All Policies" AND activity=upload

``` exclude all instances present in the lookup table instance.csv from this search ```

OR

policy="All Apps - Password Protected Files - Alert"

```exclude all instances present in instance.csv from this search ```

OR

alert_type=ews and alert_name=" uploads"

``` exclude all instance_id present in instance.csv from this search ```

|Stats earliest (_time) as incident_time,values(activity)as activity,values(instance_id)as instance_id ,values(alert_type) as alert_type,values(alert_name)as alert_name
By user,policy
Thanks

richgalloway · ‎05-21-2023

Have you tried something like this?

index=dlp sourcetype=dlpalerts
  (policy=" All Apps " OR policy=" Gmail" OR policy=" GDrive")
  ((policy="All Policies" AND activity=upload) OR
   (policy="All Apps - Password Protected Files - Alert") OR
   (alert_type=ews alert_name=" uploads"))
 NOT [ | inputlookup instance.csv | fields instance_id ]
|Stats earliest (_time) as incident_time,values(activity)as activity,values(instance_id)as instance_id ,values(alert_type) as alert_type,values(alert_name)as alert_name

---
If this reply helps you, Karma would be appreciated.

AL3Z · ‎07-14-2023

@richgalloway

Hi Can you help me in writing the above search in drilldownsearch format in Adaptive Response Actions

+ Add New Response Action

Notable

while creating correlation search in ES ?

richgalloway · ‎07-14-2023

Adaptive Response Actions use the same SPL as other search queries.

---
If this reply helps you, Karma would be appreciated.

How do we enhance the dlp search ?

fields

other

subsearch

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes