diff --git a/docs/searches/threat_object_prevalence.md b/docs/searches/threat_object_prevalence.md index af309d3..76bc611 100644 --- a/docs/searches/threat_object_prevalence.md +++ b/docs/searches/threat_object_prevalence.md @@ -4,10 +4,10 @@ ## Create a Saved Search - You'll have to decide how often you want this information updated, but utilizing `tstats` against the Risk Index means this should be pretty snappy and could run pretty frequently. Create a new saved search with this logic: + You'll have to decide how often you want this information updated, but utilizing `tstats` against the Risk Index means this should be pretty snappy and could run pretty frequently over a long timeframe. Create a new saved search with this logic: ```shell linenums="1" -| tstats summariesonly=t count earliest(_time) as first_time latest(_time) as last_time from datamodel=Risk.All_Risk by All_Risk.threat_object +| tstats summariesonly=t count dc(All_risk.risk_object) as dc_objects earliest(_time) as first_time latest(_time) as last_time from datamodel=Risk.All_Risk by All_Risk.threat_object | rename All_Risk.threat_object as threat_object | convert ctime(first_time) as first_time | convert ctime(last_time) as last_time | outputlookup threat_object_count.csv @@ -17,7 +17,7 @@ You might want to include more details here, like lists of searches that fired t ## Incorporating into Risk Notables -Because of potential overlaps with multi-value fields, we might need to change our initial `tstats` logic to keep threat objects separate for a bit. I will use the base logic for the [limit score stacking](https://github.com/splunk/rba/blob/main/docs/searches/limit_score_stacking.md) Risk Incident Rule: +Because of potential overlaps in multi-value fields for threat object, we need to change our initial `tstats` logic to keep them separate until after we enrich. I will use the base logic for the [limit score stacking](https://github.com/splunk/rba/blob/main/docs/searches/limit_score_stacking.md) Risk Incident Rule with some modifications: ```shell linenums="1" | tstats `summariesonly` @@ -44,6 +44,6 @@ from datamodel=Risk.All_Risk by All_Risk.risk_object,All_Risk.risk_object_type, | where capped_risk_score > 100 ``` -I took out the `values()` piece for threat_object, and add it to the `BY` clause so we keep things separate while we enrich with our lookup. Then I utilize that information to adjust the risk score of events which happen a lot, and especially when observed on multiple machines. +We have to keep in mind order of operations to ensure our logic continues working as intended. I took out the `values()` piece for threat_object, and add it to the `BY` clause so we keep things separate while we enrich with our lookup. Then I utilize that information to adjust the risk score of events which happen a lot, especially when observed on multiple machines. Finally I wrapped it back up with `stats` to utilize our score stacking logic again, now informed by our threat object prevalence adjustments. <>