Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

extreme search: What can I do when then numbers of authenticatoins per source is not normally distributed?

wilhelmF
Path Finder
‎06-09-2017 03:10 AM

Hi,
we are using Enterprise Security. The problem is that we have a few hosts where all the employees login and many machines where only a handful of people login. Therefore we have many failed logins on the main machines with many notable events which basically aren't notable events.

Question
My question: Is there a way to alter the extreme search so that it uses a context which is host dependent i.e. dependent on the overall logins? Or do I need to write a new correlation searches which basically compare the total logins of a machine to the failed logins? Whats the best approach?

Correlation Search
| datamodel("Authentication","Authentication") | stats values(Authentication.tag) as tag,values(Authentication.app) as app,count(eval('Authentication.action'=="failure")) as failure,count(eval('Authentication.action'=="success")) as success by Authentication.src | drop_dm_object_name("Authentication") | search success>0 | xswhere failure from failures_by_src_count_1h in authentication is above medium | settags("access")

Logins per host
alt text

Preview file
1 KB
0 Karma
Reply

wilhelmF
Path Finder
‎06-19-2017 12:59 AM

I learned that by default the context has only one class default. In order to get less notable events I have to create the same context with src classes. Then it works.

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎06-09-2017 10:35 AM

Have you seen this great tutorial on Extreme Search by the inimitable George Starcher? While I know it's not an answer directly, I think it could be of great use in helping to find an answer.

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...