By Splunk November 04, 2013
Here’s a nifty ES tuning tip that you might enjoy. We’ll be using some handy macros that are documented at Working_with_Notable_Events_from_Search, if you’d like to read up on the background.
What’s the most expensive, valuable, and constrained resource in a security team?
Human attention.
How many security analysts are there?
| `notable_owners` | stats count | eval sec_analysts=(count-1)
How long does it take them to forensically analyse an incident? We can get some hints by looking at the amount of review activity… Audit > Incident Review Audit and Audit > Suppression Audit are of course useful, but you can also do this sort of thing:
| `incident_review` | search status_default=false | timechart span=1day count by reviewer usenull=f
“Forensically analyze” is a loaded phrase though… it takes 3 seconds to suppress or close yet another administratively overridden known issue, but it can take hours or days to trace, resolve, and prevent the real thing. So let’s put a finger in the wind and say “one hour” is the target for an analyst to spend on an incident.
How many hours are there in the work day?
8-12, realistically.
If you look at notable events, are there any rules that are generating more events than your analysts are capable of looking at?
| `notable_owners` | stats count | eval sec_analysts=(count-1) | eval analyst_capacity=(sec_analysts*12) | map search="search `notable`| stats count by source | where count>$analyst_capacity$"
There’s the correlation searches that need to be tuned.
----------------------------------------------------
Thanks!
Jack Coates