All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Security Essentials: Scheduling daily alerts

mhelfman
New Member
‎10-20-2017 09:14 AM

I am trying to schedule alerts for the use cases in the Security Essentials Splunk App. I watched the video on https://splunkbase.splunk.com/app/3435/ and in the demo there is a way to schedule alerts, but I just tried to do that for two use cases:

1) Hosts Where Security Sources Go Quiet
2) Increase in # of Hosts Logged into

Anyone know how to schedule these use cases as alerts to run daily as it seems the queries take a very long to run.

0 Karma
Reply

David
Splunk Employee
Splunk Employee
‎02-23-2018 03:01 PM

The simple approach here is to save the search to run nightly at an off hour, and then get email alerts. It won't give you a consolidated report of all the anomalies (it would send you them one-by-one).

You absolutely could push these alerts to a summary index, and then build a report off that summary index, to get to that status, but it will likely take some experimentation to get right. Summary Indexing is covered extensively in Splunk Docs, and my personal preference for using it is: http://www.davidveuve.com/tech/how-i-do-summary-indexing-in-splunk/

Apologies for the somewhat vague response, but hopefully this is helpful (if a bit tardy). This is also an area where we'd like to provide a bit more structure in Splunk Security Essentials.. but at this point it's not committed development.

0 Karma
Reply

mhelfman
New Member
‎10-23-2017 06:15 AM

Hi,

I am running use cases right out of the app. So for example, I run the "Increase in # of Hosts Logged into" Use case which is a search query - index=* sourcetype=win*security (4624 OR 4647 OR 4648 OR 551 OR 552 OR 540 OR 528 OR 4768 OR 4769 OR 4770 OR 4771 OR 4768 OR 4774 OR 4776 OR 4778 OR 4779 OR 672 OR 673 OR 674 OR 675 OR 678 OR 680 OR 682 OR 683) | bucket _time span=1d | stats dc(host) as count by user _time and it queries the last 30 days.

The search takes an extremely long time to run. This concerns me as I don't know if I can schedule these off hours and have a daily report emailed to me. The goal is to try and create alerts for these kinds of activities as I don't want to manually run these queries.

0 Karma
Reply

Sukisen1981
Champion
‎10-21-2017 06:40 AM

what exactly is your issue here?
I am assuming you have set up the alerts on a per day / 24 hour basis already?
If your search query is not running, no alerts will be trigerred. Can you share your queries, as you are mentioning that they take a long time to run?
I guess we need to begin our analysis from the queries and not from the alerts.

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...