Splunk® Enterprise Security

Administer Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on versions 7.x and earlier, see Splunk Enterprise Security 7.x documentation.

generatetimerange command

Include the generatetimerange command to create high-confidence, aggregated groups of findings based on risk-based alerting.

Description

Generates the absolute time range used to aggregate findings created by an existing finding-based detection.

Each finding-based detection has a value associated with the max_append_time field in the savedsearches.conf configuration file. The max_append_time field serves as a relative time modifier to specify a maximum time range used to group findings and intermediate findings such as 7d.

The generatetimerange command retrieves the value for max_append_time from the savedsearches.conf file for the finding-based detection. Based on the value of the max_append_time, an earliest time and latest time value is calculated for each finding-based detection, and stored in the detection_time_range lookup.

The generatetimerange command accesses the detection_time_range lookup to retrieve the value for earliest time and latest time, if they already exist.

When the values exist in the lookup and the value of the latest time comes before the current time, the values are considered accurate and the values of the earliest time and latest time are returned as the search result.

When the value in the lookup is stale for a given detection, it implies that the latest time has passed. Then, a new value for the earliest time and latest time is calculated using max_append_time. The new values for earliest time becomes the value for the previous latest time, and the new value for latest time becomes the sum of the values for the new earliest time and the window of the max_append_time. These new values are saved to the lookup and are returned as the search result.

Syntax

The required syntax is in bold.

| generatetimerange <String>

<String> is an existing finding-based detection.

Optional arguments

None

Examples

Generate the values for earliest time and latest time for an existing finding-based detection

| generatetimerange "Threat - Findings ATT&CK Tactic Threshold Exceeded for Entity Over Previous 7 Days - Rule"

This generates a single result with an earliest and latest timestamp as follows: { "earliest": "09/25/2024:21:31:02", "latest": "10/02/2024:21:31:02"}. If the current timestamp has passed the latest timestamp, then the command updates the lookup with a new set of values so that the value of the latest time is always equal to or greater than the current time.

Create a custom finding-based detection SPL using the generatetimerange command

Create a custom finding-based detection SPL using the generatetimerange command to define the aggregation logic based on earliest time and latest time.

When writing a custom SPL for a finding-based detection, the generatetimerange command can be used to ensure that findings and intermediate findings within a max_append_time window are grouped together. For example, some of the default finding-based detections available in Splunk Enterprise Security such as Findings ATT&CK Tactic Threshold Exceeded for Entity Over Previous 7 Days use it as follows:

| tstats `summariesonly` `common_fbd_fields`, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, values(source) as contributing_source, values(All_Risk.cim_entity_zone) as cim_entity_zone from datamodel=Risk.All_Risk where [ | generatetimerange "Threat - Findings ATT&CK Tactic Threshold Exceeded for Entity Over Previous 7 Days - Rule" | return earliest, latest ] All_Risk.annotations.mitre_attack.mitre_tactic_id=* by All_Risk.normalized_risk_object, All_Risk.risk_object_type, index

The generatetimerange command is placed within a subsearch that returns absolute time modifiers, which helps to structure the grouping logic for this SPL within the absolute time window so that the findings are grouped together into a single finding group.

See also

Last modified on 28 October, 2024
Guidelines to create a custom finding-based detections   Finding-based detections available in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1, 8.0.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters