Skip to content

Commit

Permalink
Update threat_object_prevalence.md
Browse files Browse the repository at this point in the history
better clarity of whats happening
  • Loading branch information
7thdrxn authored Sep 1, 2023
1 parent 32a01e4 commit f6e1d44
Showing 1 changed file with 4 additions and 4 deletions.
8 changes: 4 additions & 4 deletions docs/searches/threat_object_prevalence.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,10 @@

## Create a Saved Search

You'll have to decide how often you want this information updated, but utilizing `tstats` against the Risk Index means this should be pretty snappy and could run pretty frequently. Create a new saved search with this logic:
You'll have to decide how often you want this information updated, but utilizing `tstats` against the Risk Index means this should be pretty snappy and could run pretty frequently over a long timeframe. Create a new saved search with this logic:

```shell linenums="1"
| tstats summariesonly=t count earliest(_time) as first_time latest(_time) as last_time from datamodel=Risk.All_Risk by All_Risk.threat_object
| tstats summariesonly=t count dc(All_risk.risk_object) as dc_objects earliest(_time) as first_time latest(_time) as last_time from datamodel=Risk.All_Risk by All_Risk.threat_object
| rename All_Risk.threat_object as threat_object
| convert ctime(first_time) as first_time | convert ctime(last_time) as last_time
| outputlookup threat_object_count.csv
Expand All @@ -17,7 +17,7 @@ You might want to include more details here, like lists of searches that fired t

## Incorporating into Risk Notables

Because of potential overlaps with multi-value fields, we might need to change our initial `tstats` logic to keep threat objects separate for a bit. I will use the base logic for the [limit score stacking](https://github.com/splunk/rba/blob/main/docs/searches/limit_score_stacking.md) Risk Incident Rule:
Because of potential overlaps in multi-value fields for threat object, we need to change our initial `tstats` logic to keep them separate until after we enrich. I will use the base logic for the [limit score stacking](https://github.com/splunk/rba/blob/main/docs/searches/limit_score_stacking.md) Risk Incident Rule with some modifications:

```shell linenums="1"
| tstats `summariesonly`
Expand All @@ -44,6 +44,6 @@ from datamodel=Risk.All_Risk by All_Risk.risk_object,All_Risk.risk_object_type,
| where capped_risk_score > 100
```

I took out the `values()` piece for threat_object, and add it to the `BY` clause so we keep things separate while we enrich with our lookup. Then I utilize that information to adjust the risk score of events which happen a lot, and especially when observed on multiple machines.
We have to keep in mind order of operations to ensure our logic continues working as intended. I took out the `values()` piece for threat_object, and add it to the `BY` clause so we keep things separate while we enrich with our lookup. Then I utilize that information to adjust the risk score of events which happen a lot, especially when observed on multiple machines. Finally I wrapped it back up with `stats` to utilize our score stacking logic again, now informed by our threat object prevalence adjustments.

<<potentially an image here to show the adjusted scores after threat object changed them?>>

0 comments on commit f6e1d44

Please sign in to comment.