New rule in detecting multiple requests for a know...

ahmar74 · ‎09-22-2014

index=app_proxy sourcetype=bcoat_proxysg_app OR sourcetype=bcoat_proxyclient_app categories="Malicous Sources" OR "Botnets" | stats count by username,host,referrer | count> 1 | table _time username,host,referrer filter_results

martin_mueller · ‎09-24-2014

Additionally, after the stats there are no _time and filter_results columns, so listing them in table doesn't seem to make sense to me.

alacercogitatus · ‎09-23-2014

Sure - this looks like a search that returns information. However, it probably won't get the categories you are looking for. The below splits out the categories into the cim field "category". If this works for what you are looking for, then it makes sense.

index=app_proxy sourcetype=bcoat_proxysg_app OR sourcetype=bcoat_proxyclient_app category="Malicous Sources" OR category="Botnets" | stats count by username,host,referrer | where count> 1 | table _time username,host,referrer filter_results

martin_mueller · ‎09-23-2014

There's likely a syntax error in | count > 1 | due to lack of a search command such as search or where - both will achieve what you wanted and throw out events with count=1.

ahmar74 · ‎09-23-2014

does the rule make sense to you as is?

martin_mueller · ‎09-23-2014

Do elaborate on what you actually need help with.

New rule in detecting multiple requests for a known Malicious destination from a single source could use help with the way the rule is written

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services