Getting Data In

Identifying an asset over multiple sourcetype events

shiftey
Path Finder

Hi Splunk Answers,
First post here, go easy on me!
We're running Splunk ES and I would like to create a correlation search. The criteria is:
If an IDS event is received for an internal IP (I could specify a range of required) (first sourcetype) and that same IP has recieved a malware alert within an hour of the IDS event (second sourcetype), then create a notable event.

Any clues as to what my syntax would be for this?

Cheers

Tags (2)
0 Karma
1 Solution

dineshraj9
Builder

Either do a join or try map search -

1) index=idx1 sourcetype=sourcetype1 | table _time IP | rename _time as time 1 | join IP [ search index=idx2 sourcetype=sourcetype2 | table _time IP | rename _time as time2 ] | eval diff=abs(time1 - time2) | search diff < 3600

2) index=idx1 sourcetype=sourcetype1 | table _time IP | rename _time as time1 | map search=" index=idx2 sourcetype=sourcetype2 IP=$IP$ | table _time IP | rename _time as time2 | eval diff=abs($time1$ - time2) | search diff < 3600 "

View solution in original post

0 Karma

dineshraj9
Builder

Either do a join or try map search -

1) index=idx1 sourcetype=sourcetype1 | table _time IP | rename _time as time 1 | join IP [ search index=idx2 sourcetype=sourcetype2 | table _time IP | rename _time as time2 ] | eval diff=abs(time1 - time2) | search diff < 3600

2) index=idx1 sourcetype=sourcetype1 | table _time IP | rename _time as time1 | map search=" index=idx2 sourcetype=sourcetype2 IP=$IP$ | table _time IP | rename _time as time2 | eval diff=abs($time1$ - time2) | search diff < 3600 "

0 Karma

shiftey
Path Finder

Thanks for that,

I am seeing results, what I am seeing is table headers:

time1 IP diff time2

time1 appears to show date and time for first sourcetype event and ip shows ip. time2 field is blank and diff shows a value which I think is in seconds? How would I show the associated event description with each sourcetype, just a case of adding to the table?

eg. sourcetype1=ids, sourcetype2=malware, how could I see the associated event description of each source type..

Hope that makes sense 🙂

0 Karma

dineshraj9
Builder

My Apologies.. there was typo in my previous post. It should be | convert ctime(time2) as time2(had given time1)

Use the _raw field to show the entire event. You can also give any other extracted fields from the events.

1) index=idx1 sourcetype=sourcetype1 | table _time IP _raw | rename _time as time 1,_raw as event1 | join IP [ search index=idx2 sourcetype=sourcetype2 | table _time IP _raw | rename _time as time2,_raw as event2 ] | eval diff=abs(time1 - time2) | search diff < 3600 | convert ctime(time1) as time1 | convert ctime(time2) as time2

2) index=idx1 sourcetype=sourcetype1 | table _time IP _raw | rename _time as time1,_raw as event1 | map search=" index=idx2 sourcetype=sourcetype2 IP=$IP$ | table _time IP _raw | rename _time as time2,_raw as event2 | eval diff=abs($time1$ - time2) | search diff < 3600 " | convert ctime(time1) as time1 | convert ctime(time2) as time2

0 Karma

ppablo
Retired

Hi @shiftey and @dineshraj9

Please be sure that when responding to someone's answer, click on "Add comment" directly below their answer or, if responding to someone's comment, type in the "Add your comment..." box directly below their comment. You typed your responses to each other in the "Enter your answer here..." box at the very bottom of the page which, instead, posts a brand new answer when it was really meant as a comment. This will help with a clean continuous flow of the conversation. I already converted your "answers" to a comments appropriately, so just something to keep in mind from here on out. Thanks and happy Splunking!

0 Karma

dineshraj9
Builder

_time is an internal field and it won't show up on the left. _time would in epoch form. So at the end just process the time1 and time2 fields.

1) index=idx1 sourcetype=sourcetype1 | table _time IP | rename _time as time 1 | join IP [ search index=idx2 sourcetype=sourcetype2 | table _time IP | rename _time as time2 ] | eval diff=abs(time1 - time2) | search diff < 3600 | convert ctime(time1) as time1 | convert ctime(time1) as time2

2) index=idx1 sourcetype=sourcetype1 | table _time IP | rename _time as time1 | map search=" index=idx2 sourcetype=sourcetype2 IP=$IP$ | table _time IP | rename _time as time2 | eval diff=abs($time1$ - time2) | search diff < 3600 " | convert ctime(time1) as time1 | convert ctime(time1) as time2

0 Karma

shiftey
Path Finder

Thanks for your response dineshraj9

In my case I dont have a "_time" field.
Time is broken down with the fields below, with example values
How can I eval time while considering the date also?

date_hour = 15
date_mday = 25
date_minute = 36
date_month = may
date_second = 28
date_wday = monday
date_year = 2015
date_zone = 0
timestartpos = 24
timeendpos = 0

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...