Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Detection of stealthy events

Thuan
Explorer
‎01-08-2014 12:05 PM

On security issues, there are high intensity events - scanning - and low-intensity (or stealthy) events - periodic or not - that take place say once every few days. The high intensity can be detected quite easily. The question has to do with low or very low frequency events. The transaction command allows maxpsan parameter. Is there some way to define a minspan = x hours/days, with the intent to detect recurring events that exceed a given time interval measure in hour/day?

Tags (1)
0 Karma
Reply

Thuan
Explorer
‎01-08-2014 12:48 PM

One case of stealthy events is data exfiltration via HTTP. One possible common thread is one a pair of source and destination IP, or even a destination subnet. The gap between any two such exfiltration activities may be days.

0 Karma
Reply

kristian_kolb
Ultra Champion
‎01-08-2014 12:28 PM

transaction does not have such a parameter. Also, searching for long-running transactions can be very computationally 'expensive'.

However you can maybe have some success with the rare command, e.g.;

sourcetype=logins status=failed src_ip!=10.* | rare src_ip

Which would give you the least common src_ip's that failed to authenticate from an external IP address. It all depends on your use cases, what logs you have and what your are looking for. More detailed examples, perhaps with sample events, would allow for more precise advice.

/k

0 Karma
Reply

Thuan
Explorer
‎01-08-2014 12:50 PM

One case of stealthy events is data exfiltration via HTTP. One possible common thread is one a pair of source and destination IP, or even a destination subnet. The gap between any two such exfiltration activities may be days. Any idea how this can be achieved?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...