Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

symantec DLP

aliroumani
Explorer
‎11-01-2016 11:57 PM

Dear Sirs,
in symantec dlp we have different policies consider it as (1,2,3,...etc) and when i user violate any policy we will receive logs showing that,
another case is when a user violate 2 policies at the same time (like 1 and 2 together) still the dlp showing each event as a seperate one.
my question is, how can i write a search in splunk that will show me if two policies violated at the same time by the same user.
for example, sending external e-mail is a policy and sending confidential documents is a policy, so in case someone send external email with confidential documents in it this is violation for 2 policies in same time, and thats what i'm looking for.
regards

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DMohn
Motivator
‎11-02-2016 02:27 AM

The easiest (yet not most elegant) way would be using the transaction command. Depending on the amount of events to search, this command may pr pretty "expensive" to run - so keep this in mind if you experience performance issues.

Assuming you have the username as field user, and the violation events are within less than 5 seconds, your search could be something like this:

 <base search that returns violations events> | transaction user maxpause=5s | where linecount > 1

This will group the violation events together and only keep those where more than 1 violation occurred within 5s.

Hope this helps!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DMohn
Motivator
‎11-02-2016 02:27 AM

The easiest (yet not most elegant) way would be using the transaction command. Depending on the amount of events to search, this command may pr pretty "expensive" to run - so keep this in mind if you experience performance issues.

Assuming you have the username as field user, and the violation events are within less than 5 seconds, your search could be something like this:

 <base search that returns violations events> | transaction user maxpause=5s | where linecount > 1

This will group the violation events together and only keep those where more than 1 violation occurred within 5s.

Hope this helps!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...