Dear Splunkers,
we are trying to build a baseline of login events. We are using this example. The search is at the end of the post.
The problem we are facing is that there are no Outlier events detected. We are using the CERT Insider Threat Dataset r4.2. It doesn't matter if we change the amount of stdevs, it won't ever classify an event as outlier.
Maybe it won't work because there are different logins per user per day. How could we change it that it will only use the first login event per user per day?
Does anyone have an idea what we can try?
Thank you in advance.
activity=Logon
| eventstats avg("_time") AS avg stdev("_time") AS stdev
| eval lowerBound=(avg-stdev*exact(2)), upperBound=(avg+stdev*exact(2))
| eval isOutlier=if('_time' < lowerBound OR '_time' > upperBound, 1, 0)
| table _time isOutlier
... View more