Splunk Cloud Platform

How do I get "equal to or greater than 0" results? I'll explain.

theitgui
Path Finder

Good Afternoon,

We are attempting to make Splunk fit into our compliance needs. The auditors want us to check for certain things on the network (user locked out, user added to security group, etc) and verify each day that we checked.

We were doing this with Alert Logic previously. Basically, Alert Logic had an internal "cases" interface where each search would put a "case" in the list to be reviewed. If it found something, one employee notes the reason after investigation and another employee closes it. Auditors want "dual control" to prevent one admin from falsifying things I guess.

The part where it gets tricky is when a search finds nothing. The auditors would like us to confirm that we checked even those "no findings" reports. Alert Logic did this out of the box (before they started changing their product to something wholly unrecognizable to us) and Splunk seemed to do it but I'm finding it's tougher than first thought.

The "cases" interface could be had via the Alert Manager app or InfoSec app, neither of which are functioning in my cloud trial. I've resorted to an e-mail to a free Jira cloud instance to get these cases. Accepting that, I need to figure out how to get an alert to trigger both for no items found and for items found. The trigger options force me to choose.

Any help is appreciated. I've been working with Splunk support on this and they think some of the apps not working are due to the trial but they can't seem to get the alert triggering going. I'm sure there is a phrase I can stick in "custom" that'll work. I just don't know what. Thank you in advance.

Labels (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

As you've discovered, this is no alert trigger for "zero or more results".  You'll have to modify the query to always return results and have the alert trigger when items are found.

Use the appendpipe command to ensure the query always something.  Share the existing query and we can provide specifics.

---
If this reply helps you, Karma would be appreciated.
0 Karma

theitgui
Path Finder

Thank you for the response! The queries are all pretty basic for the most part, one would be:

index="wineventlog" EventID=4740

My current workaround is two alerts, one for zero results, one for more than zero. Do you think I could do it in one?

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...