topic Re: Potential Correlation Searches SPL in Security

What are some potential correlation search SPL?

AL3Z — Tue, 04 Apr 2023 10:59:11 GMT

Hi,

Looking for SPL like within a brief span of time, say two hours, a user prompts alerts for both PDM and encrypted files.

thanks

Re: Potential Correlation Searches SPL

gcusello — Mon, 27 Mar 2023 14:55:10 GMT

Hi @AL3Z,

probably you should try to better describe your requirement!

whick data source are you speaking?

why do you speak of Correlation Search?

did you checked if in Splunk baseline there's some Use Case for your technology?

did you checked if in Splunk Security essentials App there's some Use Case for your technology?

Ciao.

Giuseppe

Re: Potential Correlation Searches SPL

AL3Z — Mon, 27 Mar 2023 15:00:11 GMT

@gcusello
Hi,

My requirement to find the where a user triggers both PDM and Encrypted file alerts in a short period of time (like 2 hours)
Datasource is of DLP

Ciao.

Re: Potential Correlation Searches SPL

gcusello — Mon, 27 Mar 2023 15:12:36 GMT

Hi @AL3Z,

could you share some sample of these two kind of alerts?

indicating the correlation key between them?

Ciao.

Giuseppe

Re: Potential Correlation Searches SPL

AL3Z — Wed, 29 Mar 2023 08:29:26 GMT

Re: Potential Correlation Searches SPL

AL3Z — Mon, 27 Mar 2023 18:08:25 GMT

Pls use above sample event for this use case
when User triggers diferent PDM alerts in a short period of time (EX Block on Gmail and block on external apps)...

Re: Potential Correlation Searches SPL

gcusello — Mon, 27 Mar 2023 16:23:19 GMT

hi @AL3Z,

this is one alert sample and the other?

could you highlight in bold the correlation key to use?

Ciao.

Giuseppe

Re: Potential Correlation Searches SPL

AL3Z — Tue, 28 Mar 2023 00:35:30 GMT

@gcusello

Please find the sample event key points highlighted with red colour

Re: Potential Correlation Searches SPL

gcusello — Tue, 28 Mar 2023 06:17:13 GMT

Hi @AL3Z,

this is one kind of alert (PDM I suppose), can you share a sample of the other kind of alert or does it have the same format and only different message?

Ciao.

Giuseppe

Re: Potential Correlation Searches SPL

AL3Z — Tue, 28 Mar 2023 20:45:46 GMT

@gcusello could you brief about PDM abbrevation and concept

Re: Potential Correlation Searches SPL

gcusello — Wed, 29 Mar 2023 06:52:55 GMT

Hi @AL3Z,

PDM is an acronym that I don't know and that you used.

In few words, you have to:

identify the rules to filter only the events you need in both data sources (e.g. index and sourcetype), for this reason I asked two samples of data, one for each data source to correlate,
then identify a correlation key (e.g. user), a common field in both the data sources, if they have a different file name you have to rename one of them to have the same,
and then define the rules (e.g. user present in both the data sources) to apply a final filter,

in this way , you should have something like this, to find events where user is present in both data sources:

(index=index1 sourcetype=sourcetype1) OR (index=index2 sourcetype=sourcetype2) | stats dc(index) AS index_count values(index) AS index BY user | where index_count=2

Ciao.

Giuseppe

Re: Potential Correlation Searches SPL

AL3Z — Mon, 03 Apr 2023 17:59:43 GMT

@gcusello ,

Hi,

You're on different track my requirement is if single user triggers an alert say alert_name other than pdm in between 2 hours more than 3 times .

How could we achieve it using eval .

Thanks 👍

Re: Potential Correlation Searches SPL

gcusello — Tue, 04 Apr 2023 06:34:53 GMT

Hi @AL3Z,

so the condition is triggering an alert, not that the alert must be in both the indexes,

in this case, please try the same with a different final condition:

(index=index1 sourcetype=sourcetype1) OR (index=index2 sourcetype=sourcetype2) | stats dc(index) AS index_count values(index) AS index values(pdm) AS pdm BY user | where index_count=1 AND index=index1

the thing that I don't understand is what's the condition for pdm.

Ciao.

Giuseppe