Dashboards & Visualizations

Repeat Offenders, Notable events over time

colinjmchugo
Explorer

Hi,

I am looking to search for users machines on the network that repeatedly events (users with tickets) are highlighted so we can see what machines are potentially at more of a risk. So my table at the moment is showing:

table _time id priority.name username hostname subject category.name assigned_to.name | sort by username

I know this other incident below speaks of this but it's not clear how to adapt this to my own environment. I want to show that X user has X number of Y category and also has X number of incidents relating to another category so we can get a picture of what that user is up too. So i am looking for some assistance if possible? thanks in advance.

https://answers.splunk.com/answers/524194/highlight-repeat-notable-offenders.html?utm_source=typeahe...

Tags (3)
0 Karma

colinjmchugo
Explorer

Dal,

I am getting a Null return on the category could you assist with tihs. Photo attached i don't know why, thanks Colin alt text

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Sorry, I generally can't see images through the firewall. If you post your search string, (any confidential stuff like index names masked) and your search results (ditto) as a comment on this answer, we can help you debug.

If your original search is returning a null, use fillnull to give it a default value of "other" before the eventstats. The weighting code already should handle defaulting the weight to 1.

0 Karma

colinjmchugo
Explorer

Thanks i am not sure if that solves my issue but i appreciate your response. Under the UserCatCount i am getting the following returns

Null => 1 @ 20 = 20
Null => 1 @ 5 = 5
Null => 1 @ 6 = 6
Null => 3 @ 1 = 3
Null => 3 @ 5 = 15
Null => 5 @ 5 = 25

So i am not sure where to put this flllnull is it in these lines " | eval UserCatCount = tostring(Category)." => ".UserCatCount." @ ".Weight." = ".TotalWeight
| stats count as UserEventCount sum(TotalWeight) as UserEventWeight values(UserCatCount) as UserCatCount by username" ?
I also dont understand the OUTPUT catefgoryweight command. I am close to solving this so id love if i could get it sorted thanks again.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

One possible approach would be to use the eventstats command to count up how many qualifying events a user had...

| eventstats count as UserEventCount by username
| eventstats count as UserCatCount by username category.name 

If you feel like you need all the category counts on every line, you could do something like this...

| eventstats count as UserCatCount by username category.name 
| eval UserCatCount = tostring(category.name)." = ".UserCatCount
| eventstats count as UserEventCount values(UserCatCount) as UserCatCount by username

There are various other presentation options depending on how the report will be used, but those give you the basics.

colinjmchugo
Explorer

thanks, Dal,

That's great, so the event count is the number of events a user has created while catcount is the number of categories that user has created?

Just wondering if i could assign a score to a category so lets say the categories are Phishing, Malware, PUP, Improper Use etc. Could i give these each a weight in some sort of index (that is easily editable) and then see the "Risk Score" for each user had from this?

I also want to create a RiskScore for a device as well as a user, thanks so much really appreciate this. Great to have a community like this.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

eventstats is just like stats, except that it doesn't eliminate the individual transactions. It calculates as if it had done so, then puts the relevant answers on each individual event.

So, after the eventstats, UserCatCountCount would contain the count of events for the combination of user and category... and in the last set of code, the category counts would all get rolled together into a single field that would present the data something like this...

george    23    categoryname1 = 13
                categoryname2 =   3
                categoryname3 =   7

If you wanted to weight them, you could build a lookup table and multiply the count by the weight

| eventstats count as UserCatCount by username category.name 
| lookup myweightingtable.csv  category as category.name OUTPUT  CategoryWeight
| eval CategoryWeight=coalesce(CategoryWeight,1)
| eval TotalWeight=UserCatCount * CategoryWeight
| eval UserCatCount = tostring(category.name)." => ".UserCatCount." @ ".CategoryWeight." = ".TotalWeight
| stats count as UserEventCount sum(TotalWeight) as UserEventWeight values(UserCatCount) as UserCatCount by username
0 Karma

colinjmchugo
Explorer

Thank you so much, really appreciate it. Every day is a school day 🙂

0 Karma

colinjmchugo
Explorer

Dal, so i am getting an error and i am trying to figure this out. So ive created the Csv and uploaded and changed permissions etc. I have created the file with two columns one category the other weight. and then in the category field, i have listed the categories and put in weights in the next column relating to this category.

Should i have called the columns category and then CategoryWeight? or is it category.name and then Category.weight? its a little confusing. thanks Colin

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

@colinjmchugo - You get to choose what to call the columns in the table. Simpler is better. In my sample, I called them category and CategoryWeight, but you can do whatever you want. Just look at the documentation for lookup to see where the event field name and the lookup field names go, in relation to the as syntax.

Yes, if you have your answer for a question, you can accept whichever answer worked best or helped you the most. You can also upvote any other answers and comments that you found helpful. (I'm not asking you to do so on this question now, just letting you know that rewarding all the people who helped you is a good thing in general on these forums.)

0 Karma

colinjmchugo
Explorer

Sorry @dalJeanis only seeing reply. Thanks alot i appreciate it . Yes i was aware of making the field names the same. Let me try it again. Thanks Dal ill reward in whatever way i can as i really appreciate the support. It makes the world go around for sure. cheers

DalJeanis
SplunkTrust
SplunkTrust

@colinjmchugo - Don't worry about rewarding me, per se. Helping folks is fun. But please do accept an answer when your question is solved. For now, we'll keep plugging.

0 Karma

colinjmchugo
Explorer

If you get a chance Dal, thanks do i need to award you with getting the answer? thanks C.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...