Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Correlation Search question (Enterprise Security)

echojacques
Builder
‎02-19-2014 03:34 PM

Hello,

This is a correlation search included with Enterprise Security that detects and alerts for potential spyware activity:

| `src_dest_tracker("allowed")` | lookup local=true ip_spyware_lookup src OUTPUTNEW src_ip as src_spyware_ip,src_description,src_is_spyware | lookup local=true ip_spyware_lookup dest OUTPUTNEW dest_ip as dest_spyware_ip,dest_description,dest_is_spyware | search dest_is_spyware=true OR src_is_spyware=true | eval spyware_ip=if(dest_is_spyware=="true",dest_spyware_ip,spyware_ip) | eval spyware_ip=if(src_is_spyware=="true",src_spyware_ip,spyware_ip) | eval spyware_description=if(dest_is_spyware=="true",dest_description,spyware_description) | eval spyware_description=if(src_is_spyware=="true",src_description,spyware_description) | fields + sourcetype,src,dest,spyware_ip,spyware_description

My question is, is there a way to tweak this search so that it only alerts when there are more than X number of events? In other words, let me know when an IP address triggers this rule 5 times (within a 24 hour period).

I thought it was as simple as adding: "| search count>5" to the end of the search string but it didn't work.

Thanks for any tips!

Reply
1 Solution
Solved! Jump to solution
Solution

jcoates_splunk
Splunk Employee
Splunk Employee
‎02-19-2014 03:59 PM

Hi,

First and obligatory answer is upgrade, 3.0's version is much easier to read because of architectural improvements.... That said, I'd put stats count(spyware_ip) as spyware_count by spyware_ip | search spyware_count>5 at the end.

View solution in original post

Reply
Solved! Jump to solution
Solution

jcoates_splunk
Splunk Employee
Splunk Employee
‎02-19-2014 03:59 PM

Hi,

First and obligatory answer is upgrade, 3.0's version is much easier to read because of architectural improvements.... That said, I'd put stats count(spyware_ip) as spyware_count by spyware_ip | search spyware_count>5 at the end.

Reply
Solved! Jump to solution

echojacques
Builder
‎02-20-2014 01:31 PM

This worked, thanks for the help!

0 Karma
Reply
Solved! Jump to solution

echojacques
Builder
‎02-19-2014 04:05 PM

Hi, thanks, I will try this in the morning and let you know the results!

... I did try the upgrade to ES 3 but had a few issues so I had to rollback, but it's good to know that the correlation searches are more efficient in ES 3.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...