Hello fellow Splunkers, is it possible for Splunk to connect to IBM XFE app to get the threat intelligence feeds, I would like to know if someone else has been involved in this process since there is no much information about out there. Thanks so much, ... View more

Hello fellow splunkers, I would like to know if someone has come across a way to determine via a splunk query timing attacks, I have read some posts on github pointing out to useful information but still nothing concrete. I know we could do something with machine learning but not sure how to deal with it deeply in order to check for so. Thanks so much, ... View more

Hello splunkers, While checking some use cases I found out one that I am interested of "Detect Spike in Network ACL activity", my question is about the formula that it contains to detect the suspicious activity, here is the query it is based on: sourcetype=aws:cloudtrail `network_acl_events` [search sourcetype=aws:cloudtrail `network_acl_events` | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup network_acl_activity_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup network_acl_activity_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | stats values(eventName) as eventNames, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user I understand pretty much all but I do not understand what this part does: | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) Specifically where the 720 and 719 come from, so my question for you is does anybody have worked with it before or any similar one because I noticed there are others which use the same formula. I am using Splunk ES version 6.1.1  Thanks so much, ... View more

I am trying to figure out how I can track the timestamp whenever I changed the status of any recently opened investigation so that I can have the control of that, I have checked the ES audit section, specifically the Investigation Overview but there is anything similar to this. I also checked the _audit index but not sure if the investigation roles are tracked there which in turn would be a really good option to observe. Thanks ... View more