Splunk Enterprise Security

Splunk App for Enterprise Security: How to debug xswhere

chris
Motivator

The Splunk App for Enterprise Security ships with extreme search commands. I would like to see drastic changes in occurrences of ids signatures. ES already ships the query to populate the context: count_by_signature_1h

Is there a way to debug the current contexts?

Using this search (or similar), I would like to see what the limits/boundaries for the concept terms are and what term is active for the period I searched:

| tstats allow_old_summaries=true count from datamodel=Intrusion_Detection by IDS_Attacks.signature | `drop_dm_object_name("IDS_Attacks")` | xswhere count from count_by_signature_1h in ids_attacks by signature is above minimal

Is this possible?

It would also be great to see if there are any newcomers (or at least I do not understand how this could be achieved). At the moment this warning is (again that is my interpretation) displayed:

xsWhere-I-111: There is no context 'count_by_signature_1h' with class 'xy signature' from container 'ids_attacks' in scope 'none', using default context count_by_signature_1h

Is there a way to mark the signatures with a field in the result set?

Regards
Chris

0 Karma
1 Solution

mcormier_splunk
Splunk Employee
Splunk Employee

HI Chris,

To view a context, you can use the command "xsDisplayContext". In the example you have above, you would run this search command:

  | xsDisplayContext 'count_by_signature_1h' in 'ids_attacks' by  'xy signature'

This uses the standard charting that comes with Splunk.

If you'd like to see this using d3, there are a set of dashboards that come with Extreme Search, but that may be turned off by default. That chart provides a better visual experience. To access these dashboards, go to the Extreme Search app, then select the "Conceptual Search" menu, then "Contexts". One of your choices is "Display Context". WHen accessing this dashboard, you select SA-NetworkProtection as the scope. The rest of the dropdowns will populate correctly and you should be able to view your context(s). Note that there should be a class for each signature (values of the signature field) as well as the "Default Class".

If this dashboard is not visible, you can change this by removing the 'isDashboard="false"' entry in the view. That can be done by editing the dashboard via the UI or the .xml file on disk. The dashboards can be found in $SPLUNK_HOME/etc/apps/Splunk_SA_ExtremeSearch/default/data/ui/views. If you modify these on the disk, make sure you "refresh" using the url https://servername:8000/debug/refresh or just restart Splunk.

You are correct in that the Information message from xsWhere means that the class does not yet exist. When this occurs, xsWhere uses the Default class for any event with a value of signature that doesn't have an associated Context.

To view the list of contexts (by class) that exist, run the following search command:

| xsListContexts FROM count_by_signature_1h IN ids_attacks | sort Class

We are working on a new app (to be called XSV, which stands for XS Visualization) that provides a powerful life-cycle view of Containers, Contexts, Classes and Concepts. That should be released soon on Splunkbase. Once it's available I will update this answer.

Please let me know if you have any other questions. I'm happy to help.

Regards,

Mike

View solution in original post

mcormier_splunk
Splunk Employee
Splunk Employee

HI Chris,

To view a context, you can use the command "xsDisplayContext". In the example you have above, you would run this search command:

  | xsDisplayContext 'count_by_signature_1h' in 'ids_attacks' by  'xy signature'

This uses the standard charting that comes with Splunk.

If you'd like to see this using d3, there are a set of dashboards that come with Extreme Search, but that may be turned off by default. That chart provides a better visual experience. To access these dashboards, go to the Extreme Search app, then select the "Conceptual Search" menu, then "Contexts". One of your choices is "Display Context". WHen accessing this dashboard, you select SA-NetworkProtection as the scope. The rest of the dropdowns will populate correctly and you should be able to view your context(s). Note that there should be a class for each signature (values of the signature field) as well as the "Default Class".

If this dashboard is not visible, you can change this by removing the 'isDashboard="false"' entry in the view. That can be done by editing the dashboard via the UI or the .xml file on disk. The dashboards can be found in $SPLUNK_HOME/etc/apps/Splunk_SA_ExtremeSearch/default/data/ui/views. If you modify these on the disk, make sure you "refresh" using the url https://servername:8000/debug/refresh or just restart Splunk.

You are correct in that the Information message from xsWhere means that the class does not yet exist. When this occurs, xsWhere uses the Default class for any event with a value of signature that doesn't have an associated Context.

To view the list of contexts (by class) that exist, run the following search command:

| xsListContexts FROM count_by_signature_1h IN ids_attacks | sort Class

We are working on a new app (to be called XSV, which stands for XS Visualization) that provides a powerful life-cycle view of Containers, Contexts, Classes and Concepts. That should be released soon on Splunkbase. Once it's available I will update this answer.

Please let me know if you have any other questions. I'm happy to help.

Regards,

Mike

chris
Motivator

Thanks Mike, this is definetly a step towards becoming more comfortable with the xs theme.

0 Karma

mcormier_splunk
Splunk Employee
Splunk Employee

HI Chris,

We finally put Extreme Search Visualization (XSV) up on Splunkbase ( https://splunkbase.splunk.com/app/2855 ). This app provides a whole collection of dashboards and some new commands to help you better manage the lifecycle of contexts.

Check it out and ping me if you have any questions.

Regards,

Mike

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...