×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
askrei
Engager
Member since: ‎12-15-2014
‎06-05-2020
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 1
Member Since ‎12-15-2014
View All

Re: How can I trigger and alert for a search over ...

by in Splunk Enterprise Security
‎06-24-2015 08:50 PM
‎06-24-2015 08:50 PM
The idea is to run the search every 60 min and look back 60 min, every 4 hrs and look back 4 hrs, ect... If a high risk object is found during 60 min I would want a notable event to be created but for it not to generate a notable event when the search runs across 4, 8 and 24 hrs. However the search should create a new notable event if risk score increases again by 100 points in 60 min. Example: userX accumulates a risk score of 150 between 10am-11am on Monday and a notable event is created. Since a notable has been created I would not want a new notable to fire when the search runs for 4,8, and 24hrs. However if the same user, userX accumulates another 125 pts of risk between 1pm-2pm I would want another Notable Event to be created. I tried using a subsearch against the notable index but could not find a way to pass the risk_object through. ... View more

How can I trigger and alert for a search over 60 m...

by in Splunk Enterprise Security
‎06-24-2015 05:12 PM
1 Karma
‎06-24-2015 05:12 PM
1 Karma
I am trying to create Notable Events using the Splunk ES risk framework and I want to setup multiple correlation searches each with different time intervals and assign them different urgencies. To start I have a searches that look for risk_score>100 over 60 min, 4hrs, 8hrs, and 24hrs. If a risk object has a risk score > 100 in 60 min it will fire the first alert. Moving forward when the 4hr, 8hr, and 24hr search runs I would not want another Notable Event to be triggered on the same risk_object. Similarity if an alert fires for a risk score > 100 within 4 hours I would not want another Notable Event to be created when the 8hr and 24hr queries run. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma from
View All