Splunk Cloud Platform
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Suspicious Event Log Service Behavior

Abhirup_10
New Member
‎01-25-2024 04:29 PM

I am trying to fine tune one use case "Suspicious Event Log Service Behaviour". Below is the rule logic 

(`wineventlog_security` EventCode=1100) | stats count min(_time) as firstTime max(_time) as lastTime by dest Message EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_event_log_service_behavior_filter` | collect index=asx sourcetype=asx marker="mitre_id=T1070.001, execution_type=adhoc, execution_time=1637664004.675815"

but the rule is currently too noisy. Is it possible to set a bin time(5mins) between stop logging and start logging events. After 5mins if the logging started then I want to ignore the alerts. 

Or I have seen a field named dvc_priority, can we set the alerts only for high or critical? 

Help me with the query please. 

Labels (2)
0 Karma
Reply

datadevops
Path Finder
‎01-28-2024 02:05 AM
 

Hi there,

1. Implement a 5-Minute Bin Time:

  • Add the bucket command:
search (wineventlog_security EventCode=1100) | 
stats count min(_time) as firstTime max(_time) as lastTime by dest Message EventCode | 
security_content_ctime(firstTime) | 
security_content_ctime(lastTime) | 
suspicious_event_log_service_behavior_filter | 
bucket _time span=5m | 
... (rest of your query)
  • Filter out events with gaps within 5 minutes:
... | 
stats count as event_count by _time dest Message EventCode | 
eval is_first_event = if(_time == earliest(_time), 1, 0) | 
eval is_noisy_event = if(event_count > 1 AND is_first_event == 0, 1, 0) | 
filter not is_noisy_event

2. Filter by dvc_priority:

  • Add a filter condition:
... | 
where dvc_priority = "high" OR dvc_priority = "critical" | 
... (rest of your query)

Additional Tips:

  • Tailor the bin time: Adjust the span value in bucket _time span=5m to match your desired timeframe.
  • Prioritize based on risk: If dvc_priority accurately reflects risk, filtering by it can be effective.
  • Test thoroughly: Implement changes in a non-production environment first to ensure they work as intended.
  • Combine strategies: For optimal results, consider using both bin time and dvc_priority filtering together.

Remember:

  • Replace any placeholders like ... (rest of your query) with the actual remaining parts of your query.
  • Adapt field names and values to match your specific Splunk configuration.

I'm here to assist further if you have any more questions or need additional guidance!

~ If this helps, a Karma upvote would be much appreciated.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...