Skip to content

Instantly share code, notes, and snippets.

@faststeak

faststeak/gist:dd55c43dbf047ea56ab892701cb79d3a

Created November 15, 2017 00:01
Show Gist options
  • Save faststeak/dd55c43dbf047ea56ab892701cb79d3a to your computer and use it in GitHub Desktop.
Save faststeak/dd55c43dbf047ea56ab892701cb79d3a to your computer and use it in GitHub Desktop.
Download ZIP
Splunk - Correlation Search starter for user authenticating to multiple hosts in a short time period
Raw
gistfile1.txt
| tstats summariesonly=t dc(Authentication.dest) from datamodel=Authentication.Authentication by Authentication.user,_time span=5m
| `drop_auth_dm`
| eventstats avg("dc(Authentication.dest)") as avg stdev("dc(Authentication.dest)") as stdev by "user"
| eval lowerBound=(avg-stdev*exact(2)), upperBound=(avg+stdev*exact(4))
| eval isOutlier=if('dc(Authentication.dest)' < lowerBound OR 'dc(Authentication.dest)' > upperBound, 1, 0)
| search isOutlier=1
| eval myTime=relative_time(now(), "-15m@m")
| eval time=_time
| where time>=myTime
| fields - avg,lowerBound,myTime,time
| rename upperBound AS alert_threshold
| eval alert_threshold=round(alert_threshold, 2)
| eval stdev=round(stdev, 2)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment