Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Scan Behavior: How to query the trigger for the same period for three consecutive days?

Dustem
Explorer
‎09-11-2023 04:33 AM

hi guys, I want to detect that more than 10 different ports of the same host are sniffed and scanned every 15 minutes and triggered 5 times in a row, then the alarm; If the same time period is triggered for three consecutive days, the alarm is triggered.
The current SPL:

index="xx"

| bin _time span=15m

| stats dc(dest_port) as dc_ports by _time src_ip dest_ip

| where dc_ports > 10
| streamstats count as consecutive_triggers by src_ip dest_ip reset_on_change=Ture

| where consecutive_triggers>=5

 

Next, I don't know how to query the trigger for the same period for three consecutive days.

Labels (1)
Labels
Tags (2)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-11-2023 05:19 AM

Hi @Dustem,

you could save the results of you search in a summary index (using the collect command), then execute the alert on the summary index and trigger it if you have more than 3 results.

Ciao.

Giuseppe

 

0 Karma
Reply

Dustem
Explorer
‎09-19-2023 07:31 PM

Hello gcusello,

Sorry, I forgot to reply. I rewrote SPL myself to complete the requirements, thanks for your help.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-19-2023 11:45 PM

Hi @Dustem ,

good for you, see next time!

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply

Dustem
Explorer
‎09-11-2023 06:46 AM

Hi gcusello,

How do I set it to trigger at the same time in three days?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-11-2023 06:53 AM

Hi @Dustem,

you schedule your search every day (using the last day as time frame) and you save the results in a summary index, one event every day.

Then you can schedule a search on the summary index, using three days as time frame.

Ciao.

Giuseppe

0 Karma
Reply

Dustem
Explorer
‎09-11-2023 07:00 AM

Can I do this by writing SPL?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-11-2023 08:13 AM

Hi @Dustem,

yes, you should create an alert, scheduled e.g. one time  day like the following:

index="xx"
| bin _time span=15m
| stats dc(dest_port) as dc_ports by _time src_ip dest_ip
| where dc_ports > 10
| streamstats count as consecutive_triggers by src_ip dest_ip reset_on_change=Ture
| where consecutive_triggers>=5
| collect index=my_summary

that triggers the conditons you need and saves results in a summary index.

then if the alert is named "scan"

you can search on the summary for the search_name="scan" in the last three days:

index=my_summary search_name=scan
| stats count BY src_ip dest_ip
| where count>5

Obviously you have to adapt my approach to your Use case.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...