generatetimerange
command
Include the generatetimerange
command to create high-confidence, aggregated groups of findings based on risk-based alerting.
Description
Generates the absolute time range used to aggregate findings created by an existing finding-based detection.
Each finding-based detection has a value associated with the max_append_time
field in the savedsearches.conf
configuration file. The max_append_time
field serves as a relative time modifier to specify a maximum time range used to group findings and intermediate findings such as 7d
.
The generatetimerange
command retrieves the value for max_append_time
from the savedsearches.conf
file for the finding-based detection. Based on the value of the max_append_time
, an earliest time and latest time value is calculated for each finding-based detection, and stored in the detection_time_range
lookup.
The generatetimerange
command accesses the detection_time_range
lookup to retrieve the value for earliest time and latest time, if they already exist.
When the values exist in the lookup and the value of the latest time comes before the current time, the values are considered accurate and the values of the earliest time and latest time are returned as the search result.
When the value in the lookup is stale for a given detection, it implies that the latest time has passed. Then, a new value for the earliest time and latest time is calculated using max_append_time
. The new values for earliest time becomes the value for the previous latest time, and the new value for latest time becomes the sum of the values for the new earliest time and the window of the max_append_time
. These new values are saved to the lookup and are returned as the search result.
Syntax
The required syntax is in bold.
| generatetimerange <String>
<String> is an existing finding-based detection.
Optional arguments
None
Examples
Generate the values for earliest time and latest time for an existing finding-based detection
| generatetimerange "Threat - Findings ATT&CK Tactic Threshold Exceeded for Entity Over Previous 7 Days - Rule"
This generates a single result with an earliest and latest timestamp as follows:
{ "earliest": "09/25/2024:21:31:02", "latest": "10/02/2024:21:31:02"}
.
If the current timestamp has passed the latest timestamp, then the command updates the lookup with a new set of values so that the value of the latest time is always equal to or greater than the current time.
Create a custom finding-based detection SPL using the generatetimerange
command
Create a custom finding-based detection SPL using the generatetimerange
command to define the aggregation logic based on earliest time and latest time.
When writing a custom SPL for a finding-based detection, the generatetimerange
command can be used to ensure that findings and intermediate findings within a max_append_time
window are grouped together. For example, some of the default finding-based detections available in Splunk Enterprise Security such as Findings ATT&CK Tactic Threshold Exceeded for Entity Over Previous 7 Days use it as follows:
| tstats `summariesonly` `common_fbd_fields`, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, values(source) as contributing_source, values(All_Risk.cim_entity_zone) as cim_entity_zone from datamodel=Risk.All_Risk where [ | generatetimerange "Threat - Findings ATT&CK Tactic Threshold Exceeded for Entity Over Previous 7 Days - Rule" | return earliest, latest ] All_Risk.annotations.mitre_attack.mitre_tactic_id=* by All_Risk.normalized_risk_object, All_Risk.risk_object_type, index
The generatetimerange
command is placed within a subsearch that returns absolute time modifiers, which helps to structure the grouping logic for this SPL within the absolute time window so that the findings are grouped together into a single finding group.
See also
Guidelines to create a custom finding-based detections | Finding-based detections available in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!