extreme search: What can I do when then numbers of...

wilhelmF · ‎06-09-2017

Hi,
we are using Enterprise Security. The problem is that we have a few hosts where all the employees login and many machines where only a handful of people login. Therefore we have many failed logins on the main machines with many notable events which basically aren't notable events.

Question
My question: Is there a way to alter the extreme search so that it uses a context which is host dependent i.e. dependent on the overall logins? Or do I need to write a new correlation searches which basically compare the total logins of a machine to the failed logins? Whats the best approach?

Correlation Search
| datamodel("Authentication","Authentication") | stats values(Authentication.tag) as tag,values(Authentication.app) as app,count(eval('Authentication.action'=="failure")) as failure,count(eval('Authentication.action'=="success")) as success by Authentication.src | drop_dm_object_name("Authentication") | search success>0 | xswhere failure from failures_by_src_count_1h in authentication is above medium | settags("access")

Logins per host

wilhelmF · ‎06-19-2017

I learned that by default the context has only one class default. In order to get less notable events I have to create the same context with src classes. Then it works.

Richfez · ‎06-09-2017

Have you seen this great tutorial on Extreme Search by the inimitable George Starcher? While I know it's not an answer directly, I think it could be of great use in helping to find an answer.

extreme search: What can I do when then numbers of authenticatoins per source is not normally distributed?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life