Skip to content

Commit

Permalink
Merge pull request #649 from CrossRealms/unusual-network-traffic-impr…
Browse files Browse the repository at this point in the history 
…ovement

updated the condition for upperbound calculation
  • Loading branch information
@hardikhdholariya
hardikhdholariya authored Oct 3, 2024
2 parents 3113176 + ec27c00 commit 4900d56
Showing 1 changed file with 4 additions and 4 deletions.
8 changes: 4 additions & 4 deletions cyences_app_for_splunk/default/savedsearches.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2904,8 +2904,8 @@ request.ui_dispatch_app = cyences_app_for_splunk
request.ui_dispatch_view = search
search = | tstats `cs_summariesonly_network_traffic` sum(All_Traffic.bytes) as total_bytes, sum(All_Traffic.packets) as total_packets, dc(All_Traffic.src_ip) as dc_src_ip from datamodel=Network_Traffic where `cs_public_ips(All_Traffic.src_ip)` by _time span=1h, sourcetype \
| `cs_drop_dm_object_name(All_Traffic)` \
| eval total_MB = round(total_bytes/(1024*1024),1) | fields - total_bytes \
| eval total_m_packets = round(total_packets/1000000,1) | fields - total_packets \
| eval total_MB = round(total_bytes/(1024*1024),2) | fields - total_bytes \
| eval total_m_packets = round(total_packets/1000000,2) | fields - total_packets \
| stats avg(total_m_packets) as avg_total_m_packets, stdev(total_m_packets) as stdev_total_m_packets, avg(dc_src_ip) as avg_dc_src_ip, stdev(dc_src_ip) as stdev_dc_src_ip, avg(total_MB) as avg_total_MB, stdev(total_MB) as stdev_total_MB by sourcetype \
| eval upperBound_total_m_packets=(avg_total_m_packets+stdev_total_m_packets*5), upperBound_dc_src_ip=(avg_dc_src_ip+stdev_dc_src_ip*3), upperBound_total_MB=(avg_total_MB+stdev_total_MB*5) \
| foreach avg*, std*, upperBound* [| eval <<FIELD>>=round(<<FIELD>>, 2)] \
Expand Down Expand Up @@ -2933,8 +2933,8 @@ request.ui_dispatch_app = cyences_app_for_splunk
request.ui_dispatch_view = search
search = | tstats `cs_summariesonly_network_traffic` sum(All_Traffic.bytes) as total_bytes, sum(All_Traffic.packets) as total_packets from datamodel=Network_Traffic where `cs_private_ips(All_Traffic.src_ip)` AND `cs_public_ips(All_Traffic.dest_ip)` by _time span=1h, All_Traffic.src_ip \
| `cs_drop_dm_object_name(All_Traffic)` \
| eval total_MB = round(total_bytes/(1024*1024),1) | fields - total_bytes \
| eval total_m_packets = round(total_packets/1000000,1) | fields - total_packets \
| eval total_MB = round(total_bytes/(1024*1024),2) | fields - total_bytes \
| eval total_m_packets = round(total_packets/1000000,2) | fields - total_packets \
| stats avg(total_m_packets) as avg_total_m_packets, stdev(total_m_packets) as stdev_total_m_packets, avg(total_MB) as avg_total_MB, stdev(total_MB) as stdev_total_MB by src_ip \
| eval upperBound_total_m_packets=(avg_total_m_packets+stdev_total_m_packets*5), upperBound_total_MB=(avg_total_MB+stdev_total_MB*5) \
| foreach avg*, std*, upperBound* [| eval <<FIELD>>=round(<<FIELD>>, 2)] \
Expand Down

0 comments on commit 4900d56

Please sign in to comment.