Hi Splunkers,
We do have a correlation rule for distinct malware infected on a system ( two ore more different malware on the system). The problem we are facing is that the splunk is triggering false notable event(alert) . The scenarios are all explained below along with correlation parameters and splunk query
tag=sophos_malware sourcetype="sophos:threats"| eval detection_identity_name=coalesce(detection_identity_name,threat)
|stats values(_time) as Timestamp values(type) as Malware_Action values(detection_identity_name) as signature values(filePath) as
filepath dc(filePath) as Unique_filepath_count values(suser) as Malware_affected_user dc(detection_identity_name) as UniqMalware_count values(endpoint_type) as Endpoint_Type count by dhost | Rename count as Malware_Count |convert
where UniqMalware_count 1
**Splunk Condition**
>Time range is last 15 days>Cron Schedule every hour (every hour for last 15 days)>Scheduling : Continous
**Throttling Condition**> Window Duration: 15 days Fields to> group by : dhost signature filepath
Scenario explained
Imagine renju host is infected with three malwares at different time stamp. On detecting the second malware, splunk will throw an alert and on detecting third malware it will again throw alert. As the throttling period is 15 days , after 15 days it will run and splunk will see a change in malware signature and will trigger the alert.
Oct 10 - 10am Host Renju Malware-Anil
Oct 11 -11am Host Renju Malware-Peeyush -- ALert triggered as condition is met
Oct 12-11am Host Renju Malware-Sudhir--Alert triggered as condition met
Oct 25 ( at 12am splunk will trigger a false positive alert stating it has identified renju host with peeyush and sudhir( Anil malware wont be present as splunk timerange wont pick it). But this was reported on Oct 12).
> How to prevent splunk from triggering the false positive ?> is there any workaround on this issue? as all malwares were addressed>What happens if i don't mention any values in throttling Window duration (keepin it blank) but mentioning the group by fields as grouping dhost signature filepath> What happens if i don't mention any values in throttling Window duration (keepin it blank) and fields.>
↧