Splunk Enterprise Security

Splunk Enterprise Security: How to alert on a list of hosts that were not scanned by Symantec for the last 7 days?

renjujacob88
Path Finder

Hi,

Need help in creating an alert!!

Last week, we had integrated the Symantec to Splunk Enterprise Security. Symantec scans all the devices in our environment and provides us the scan result.
We need a search to throw the list of hosts which are not scanned for the last 7 days.

Sample log format is shown below :Log format is a

Scan_Action= Complete
Begin_Time=2016-11-08 07:00:03
End_Time=2016-11-08 09:02:08
index=sample
sourcetype=scan

The search should be based on the Status_Action and End_Time

0 Karma
1 Solution

SierraX
Communicator

Hi,

I would write an alert like this:

index=sample sourcetype=scan Scan_Action=Complete
| stats latest(Scan_Action), latest(End_Time) by host
| eval _time=strptime(End_Time,"%Y-%m-%d %H:%M:%S")
| eval seven_d=if(now()-_time>604800,"Longer than 7 Days",NULL)
| search seven_d=*

With an Alert condition of if number of events greater than 0
You do not write something about scanned hosts I guess every scanned host has an own host entry in splunk.
If not, you have to change the host in second line to the entry with the scanned hosts

Kind Regards
SierraX

View solution in original post

SierraX
Communicator

Hi,

I would write an alert like this:

index=sample sourcetype=scan Scan_Action=Complete
| stats latest(Scan_Action), latest(End_Time) by host
| eval _time=strptime(End_Time,"%Y-%m-%d %H:%M:%S")
| eval seven_d=if(now()-_time>604800,"Longer than 7 Days",NULL)
| search seven_d=*

With an Alert condition of if number of events greater than 0
You do not write something about scanned hosts I guess every scanned host has an own host entry in splunk.
If not, you have to change the host in second line to the entry with the scanned hosts

Kind Regards
SierraX

SierraX
Communicator

This is the shorter version to write the 2nd eval command... but not so easy to read or change:

| eval seven_d=if(_time<relative_time(now(),"-7d@m"),"Longer than 7 Days",NULL)

is doing the same job.

0 Karma

renjujacob88
Path Finder
index=sample sourcetype=scan Scan_Action=Complete   |latest(End_Time) as End_Time by host | eval
_time=strptime(End_Time,"%Y-%m-%d %H:%M:%S") |eval _time=strptime(End_Time,"%Y-%m-%d %H:%M:%S")
 | eval seven_d=if(now()-_time>604800,"Longer than 7 Days",NULL)
 | search seven_d=*

Thanks for the insight, query did work

0 Karma

renjujacob88
Path Finder

HI Sierra,

Thanks for helping me out. Wrote down the query with little correction

index=sample sourcetype=scan Scan_Action=Complete   |latest(End_Time) as End_Time by host | eval
_time=strptime(End_Time,"%Y-%m-%d %H:%M:%S") |eval seven_d=(now()-_time) | where seven_d > 604800 | eval d=strptime(seven_d,"%Y-%m-%d %H:%M:%S")  | Table  host d
0 Karma

SierraX
Communicator

You try to parse a kind of epoch time.
now() and _time are both epoch time formats means this are seconds beginning from the 1970-01-01 00:00:00.
When I subtract seconds from seconds the result is also seconds.
This is also the reason why I choose 604800 this are 60*60*24*7

One solution could be:
Evaluate d in corresponding to the epoch time to days like
| eval d=strftime(seven_d,"%d Days %H Hours %M Minutes") | table host d
but this is only useful when you say "time between scans is everytime lower than 31 days". On the 32nd Day it would jump to 01 again because seven_d would be 1970-02-01 00:00:00 as formatted
Better way is to use macros to calculate the date back from seconds to days hours and minutes. But I haven't done this more than a year... need time to have a look.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...