Got tired of having to go through each data source to determine what indexes should go into the Splunk_SA_CIM search macros, this does the leg work. index=* | fields index, tag, user, action, object_category | eval datamodel = if(tag=”alert”, index.”.”.”alert”, datamodel) | eval datamodel = if(tag=”listening” AND tag=”port”, index.”.”.”application_state_deprecated”.”.”.”endpoint”, datamodel) | eval datamodel = if(tag=”process” […]
IPS Traffic Increase
You can use this for any type of baselining alerts around a predefined standard deviation. I used the IDS data model but the same logic can be applied to any random index. |`tstats` count from datamodel=Intrusion_Detection.IDS_Attacks where IDS_Attacks.ids_type=”network” by IDS_Attacks.dest,_time span=10m | stats count by IDS_Attacks.dest,_time| eval threshold=relative_time(now(),”-10m”) | stats max(eval(if(_time>=threshold, count null()))) as latest […]