A macro to give a human readable time to each event, like “earlier today” or “last month”.

Splunk 5.0 brings some interesting new anomaly prediction commands to the table. While I haven’t had time to really drill into everything that’s available, I did enjoy playing with the new predict command (nota bene that it has an even smarter cousin, x11, which understands seasonal patterns). Give it an event stream and it will give you a “band of normalcy” tracking the 95th percentile ceiling and floor… along with predictions of what those values might expand to.

Of course, as soon as we have a band of normalcy we might start thinking about notifying people if there are any events where reality leaves that band…

sourcetype="iis" | timechart span=1m count(dest) as distinct_count | predict distinct_count | rename upper95(prediction(distinct_count))

…

Extending the blocklists in Enterprise Security with workflow actions

As I promised at .conf, I’m going to start posting a series on writing effective correlation searches, in the hopes that I will get better at doing so.

First, framework. Alberto Cairo’s The Functional Art has a good summation of DIKW (Data, Information, Knowledge, Wisdom) Hierarchies. In short, we’re going to structure our search in a way that lets us gather Data, structure Information, and return Knowledge. This is what I called the correlation three-step in my .conf talk on Technology Add-ons: Gather a pool of Data, structure or extract Information for testing, test to acquire Knowledge. Hopefully that will lead to Wisdom, but any gaps are left as an exercise for the reader.

In order to keep it…

…