Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Detection of stealthy events

Thuan
Explorer
‎01-08-2014 12:05 PM

On security issues, there are high intensity events - scanning - and low-intensity (or stealthy) events - periodic or not - that take place say once every few days. The high intensity can be detected quite easily. The question has to do with low or very low frequency events. The transaction command allows maxpsan parameter. Is there some way to define a minspan = x hours/days, with the intent to detect recurring events that exceed a given time interval measure in hour/day?

Tags (1)
0 Karma
Reply

Thuan
Explorer
‎01-08-2014 12:48 PM

One case of stealthy events is data exfiltration via HTTP. One possible common thread is one a pair of source and destination IP, or even a destination subnet. The gap between any two such exfiltration activities may be days.

0 Karma
Reply

kristian_kolb
Ultra Champion
‎01-08-2014 12:28 PM

transaction does not have such a parameter. Also, searching for long-running transactions can be very computationally 'expensive'.

However you can maybe have some success with the rare command, e.g.;

sourcetype=logins status=failed src_ip!=10.* | rare src_ip

Which would give you the least common src_ip's that failed to authenticate from an external IP address. It all depends on your use cases, what logs you have and what your are looking for. More detailed examples, perhaps with sample events, would allow for more precise advice.

/k

0 Karma
Reply

Thuan
Explorer
‎01-08-2014 12:50 PM

One case of stealthy events is data exfiltration via HTTP. One possible common thread is one a pair of source and destination IP, or even a destination subnet. The gap between any two such exfiltration activities may be days. Any idea how this can be achieved?

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...