if you are seeing more results than desired, you may consider reducing the value for threshold in the search. you should also periodically re-run the support search to re-build the ml model on the latest data.

Sample rules

DNS Query Length Outliers - MLTK

source: splunk
technicques:
- T1071.004
- T1071

Description

This search allows you to identify DNS requests that are unusually large for the record type being requested in your environment.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as start_time max(_time) as end_time values(DNS.src) as src values(DNS.dest) as dest from datamodel=Network_Resolution by DNS.query DNS.record_type 
| search DNS.record_type=* 
|  `drop_dm_object_name(DNS)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| eval query_length = len(query) 
| apply dns_query_pdfmodel threshold=0.01 
| rename "IsOutlier(query_length)" as isOutlier 
| search isOutlier > 0 
| sort -query_length 
| table start_time end_time query record_type count src dest query_length 
| `dns_query_length_outliers___mltk_filter`

SMB Traffic Spike - MLTK

source: splunk
technicques:
- T1021.002
- T1021

Description

This search uses the Machine Learning Toolkit (MLTK) to identify spikes in the number of Server Message Block (SMB) connections.

Detection logic


| tstats `security_content_summariesonly` count values(All_Traffic.dest_ip) as dest values(All_Traffic.dest_port) as port from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=1h, All_Traffic.src 
| eval HourOfDay=strftime(_time, "%H") 
| eval DayOfWeek=strftime(_time, "%A") 
| `drop_dm_object_name(All_Traffic)` 
| apply smb_pdfmodel threshold=0.001 
| rename "IsOutlier(count)" as isOutlier 
| search isOutlier > 0 
| sort -count 
| table _time src dest port count 
| `smb_traffic_spike___mltk_filter`