Splunk Search
Highlighted

New rule in detecting multiple requests for a known Malicious destination from a single source could use help with the way the rule is written

Explorer

index=appproxy sourcetype=bcoatproxysgapp OR sourcetype=bcoatproxyclientapp categories="Malicous Sources" OR "Botnets" | stats count by username,host,referrer | count> 1 | table _time username,host,referrer filterresults

Tags (1)
0 Karma
Highlighted

Re: New rule in detecting multiple requests for a known Malicious destination from a single source could use help with the way the rule is written

SplunkTrust
SplunkTrust

Do elaborate on what you actually need help with.

Highlighted

Re: New rule in detecting multiple requests for a known Malicious destination from a single source could use help with the way the rule is written

Explorer

does the rule make sense to you as is?

0 Karma
Highlighted

Re: New rule in detecting multiple requests for a known Malicious destination from a single source could use help with the way the rule is written

SplunkTrust
SplunkTrust

There's likely a syntax error in | count > 1 | due to lack of a search command such as search or where - both will achieve what you wanted and throw out events with count=1.

0 Karma
Highlighted

Re: New rule in detecting multiple requests for a known Malicious destination from a single source could use help with the way the rule is written

SplunkTrust
SplunkTrust

Sure - this looks like a search that returns information. However, it probably won't get the categories you are looking for. The below splits out the categories into the cim field "category". If this works for what you are looking for, then it makes sense.

index=app_proxy sourcetype=bcoat_proxysg_app OR sourcetype=bcoat_proxyclient_app category="Malicous Sources" OR category="Botnets" | stats count by username,host,referrer | where count> 1 | table _time username,host,referrer filter_results
Highlighted

Re: New rule in detecting multiple requests for a known Malicious destination from a single source could use help with the way the rule is written

SplunkTrust
SplunkTrust

Additionally, after the stats there are no _time and filter_results columns, so listing them in table doesn't seem to make sense to me.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.