Hi Splunkers,
We do have a correlation rule for distinct malware infected on a system ( two ore more different malware on the system). The problem we are facing is that the splunk is triggering false notable event(alert) . The scenarios are all explained below along with correlation parameters and splunk query
tag=sophos_malware sourcetype="sophos:threats"| eval detection_identity_name=coalesce(detection_identity_name,threat)
|stats values(_time) as Timestamp values(type) as Malware_Action values(detection_identity_name) as signature values(filePath) as
filepath dc(filePath) as Unique_filepath_count values(suser) as Malware_affected_user dc(detection_identity_name) as UniqMalware_count values(endpoint_type) as Endpoint_Type count by dhost | Rename count as Malware_Count |convert
where UniqMalware_count 1
Splunk Condition
Time range is last 15 days
Cron Schedule every hour (every hour for last 15 days)Scheduling : Continous
Throttling Condition
Window Duration: 15 days Fields to
group by : dhost signature filepath
Scenario explained
Imagine renju host is infected with three malwares at different time stamp. On detecting the second malware, splunk will throw an alert and on detecting third malware it will again throw alert. As the throttling period is 15 days , after 15 days it will run and splunk will see a change in malware signature and will trigger the alert.
Oct 10 - 10am Host Renju Malware-Anil
Oct 11 -11am Host Renju Malware-Peeyush -- ALert triggered as condition is met
Oct 12-11am Host Renju Malware-Sudhir--Alert triggered as condition met
Oct 25 ( at 12am splunk will trigger a false positive alert stating it has identified renju host with peeyush and sudhir( Anil malware wont be present as splunk timerange wont pick it). But this was reported on Oct 12).
How to prevent splunk from triggering the false positive ?
is there any workaround on this issue? as all malwares were addressed
What happens if i don't mention any values in throttling Window duration (keepin it blank) but mentioning the group by fields as grouping dhost signature filepath
What happens if i don't mention any values in throttling Window duration (keepin it blank) and fields.
@DalJeanis Thanks for replying. The query which you gave is not working. Can you provide me whole query( i tried getting the picture and wrote it down, please let me know if it's right)
Is there any workaround on the throttling side in the correlation search.
tag=sophos_malware sourcetype="sophos:threats"| eval detection_identity_name=coalesce(detection_identity_name,threat) |stats values(_time) as Timestamp max(_time) as maxtime min(_time) as mintime values(type) as Malware_Action values(detection_identity_name) as signature values(filePath) as filepath dc(filePath) as Unique_filepath_count values(suser) as Malware_affected_user dc(detection_identity_name) as UniqMalware_count values(endpoint_type) as Endpoint_Type count by dhost | Rename count as Malware_Count | where UniqMalware_count > 1 |addinfo | where maxtime > mintime - 1296000
according to above scenario
How can i suppress the alert triggering on oct26. The splunk sees a change in the signature field from 3 to 2 and it will trigger . But as the aert was handled by the analyst on oct 12. How to remove the false positive alert? Pls help
First, add max(_timestamp) as maxtime
to the stats
command.
Second, after the given query, add...
| addinfo
| where maxtime> info_max_timestamp-7200
This will only alert if the most recent signature was in the last two hours. You can adjust the 7200 figure to whatever duration you would like.