Splunk Search

Splunk throttling issues to overcome false positive alerts in correlation search

renjujacob88
Path Finder

Hi Splunkers,

We do have a correlation rule for distinct malware infected on a system ( two ore more different malware on the system). The problem we are facing is that the splunk is triggering false notable event(alert) . The scenarios are all explained below along with correlation parameters and splunk query

tag=sophos_malware sourcetype="sophos:threats"| eval detection_identity_name=coalesce(detection_identity_name,threat)
|stats values(_time) as Timestamp values(type) as Malware_Action values(detection_identity_name) as signature values(filePath) as
filepath dc(filePath) as Unique_filepath_count values(suser) as Malware_affected_user dc(detection_identity_name) as UniqMalware_count values(endpoint_type) as Endpoint_Type count by dhost | Rename count as Malware_Count |convert
where UniqMalware_count 1

Splunk Condition

Time range is last 15 days
Cron Schedule every hour (every hour for last 15 days)

Scheduling : Continous
Throttling Condition
Window Duration: 15 days Fields to
group by : dhost signature filepath

Scenario explained

Imagine renju host is infected with three malwares at different time stamp. On detecting the second malware, splunk will throw an alert and on detecting third malware it will again throw alert. As the throttling period is 15 days , after 15 days it will run and splunk will see a change in malware signature and will trigger the alert.

Oct 10 - 10am Host Renju Malware-Anil

Oct 11 -11am Host Renju Malware-Peeyush -- ALert triggered as condition is met
Oct 12-11am Host Renju Malware-Sudhir--Alert triggered as condition met
Oct 25 ( at 12am splunk will trigger a false positive alert stating it has identified renju host with peeyush and sudhir( Anil malware wont be present as splunk timerange wont pick it). But this was reported on Oct 12).

How to prevent splunk from triggering the false positive ?
is there any workaround on this issue? as all malwares were addressed
What happens if i don't mention any values in throttling Window duration (keepin it blank) but mentioning the group by fields as grouping dhost signature filepath
What happens if i don't mention any values in throttling Window duration (keepin it blank) and fields.

0 Karma

renjujacob88
Path Finder

@DalJeanis Thanks for replying. The query which you gave is not working. Can you provide me whole query( i tried getting the picture and wrote it down, please let me know if it's right)

Is there any workaround on the throttling side in the correlation search.

tag=sophos_malware sourcetype="sophos:threats"| eval detection_identity_name=coalesce(detection_identity_name,threat) |stats values(_time) as Timestamp max(_time) as maxtime min(_time) as mintime values(type) as Malware_Action values(detection_identity_name) as signature values(filePath) as filepath dc(filePath) as Unique_filepath_count values(suser) as Malware_affected_user dc(detection_identity_name) as UniqMalware_count values(endpoint_type) as Endpoint_Type count by dhost | Rename count as Malware_Count | where UniqMalware_count > 1 |addinfo | where maxtime > mintime - 1296000

according to above scenario
How can i suppress the alert triggering on oct26. The splunk sees a change in the signature field from 3 to 2 and it will trigger . But as the aert was handled by the analyst on oct 12. How to remove the false positive alert? Pls help

0 Karma

DalJeanis
Legend

First, add max(_timestamp) as maxtime to the stats command.

Second, after the given query, add...

   | addinfo
   | where maxtime> info_max_timestamp-7200

This will only alert if the most recent signature was in the last two hours. You can adjust the 7200 figure to whatever duration you would like.

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...