Dashboards & Visualizations

How to search source event based on the correlation search.

wayne_test
Explorer

For example.
I make a correlation search like:

|from datamodel:"Intrusion_Detection"
|eval type=signature+src+dest+dvc
|where severity="high"
|eval status_group="threat"
|stats latest(_time) as _time,values(host) as host,values(id) as id,values(severity) as severity,values(signature) as signature,values(src) as src,values(dest) as dest,values(dvc) as dvc,values(status) as status,values(status_group) as status_group,values(owner) as owner,values(governance) as governance,values(control) as control,values(action) as action count by type
|fillnull value="unknown" src,dest,dvc,governance,control,status,owner,status_group,host,action,user
|where count>10
| table _time,host,severity,signature,src,dest,dvc,status,status_group,owner,governance,control,count,action,id

And now, I want to find the original events of this correlation search. maybe like:

2018-09-11 10:56:00,172.18.1.1,critical,SQL Injection,10.0.0.2
2018-09-11 10:56:00,172.18.1.1,critical,SQL Injection,10.0.0.2
2018-09-11 10:57:00,172.18.1.1,critical,SQL Injection,10.0.0.2
2018-09-11 11:33:00,172.18.1.1,critical,SQL Injection,10.0.0.2
2018-09-11 11:20:00,172.18.1.1,critical,SQL Injection,10.0.0.2
2018-09-11 10:43:00,172.18.1.1,critical,SQL Injection,10.0.0.2
2018-09-11 10:48:00,172.18.1.1,critical,SQL Injection,10.0.0.2
2018-09-11 10:47:00,172.18.1.1,critical,SQL Injection,10.0.0.2
2018-09-11 10:59:00,172.18.1.1,critical,SQL Injection,10.0.0.2
2018-09-11 10:50:00,172.18.1.1,critical,SQL Injection,10.0.0.2*

How can I do this?

Tags (1)
0 Karma

wenthold
Communicator

In your drill down search you can use the source event values by referencing the field name wrapped in $ - for example, if you want to search by the src field value from the notable event your drill down search criteria would include src=$src$.

I believe the values that you want to reference have to be defined in the Enterprise Security Configuration: "Incident Review Settings" -> "Incident Review - Event Attributes" table, and remember if you're using a datamodel in your correlation search that you have to remove the datamodel object name from the field names in that correlation search, for example:

| rename IDS_Attacks.* as *

.. or the built in macro drop_dm_object_name:

| `drop_dm_object_name("IDS_Attacks")`
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...