Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Correlate between source-types (IDS + OSINT sources)

aswanda
Engager
‎03-09-2013 04:08 PM

I am trying to correlate the field src_IP between all my IDS alerts (sourcetype=estreamer) and OSINT data I am pulling from a custom script. The OSINT script scrapes websites for known bad attacker IP addresses and I would like to know if any of the src_IP's from my IDS alerts match any of the src_IP's from the OSINT data.

I was looking at subsearches, which seems to be the best way to correlate across different data sets, but I am not having much luck with the syntax.

What I tried was something like this:
sourcetype=estreamer | sourcetype=osint | top limit 100 src_IP | table src_IP

Which I thought should compare the two src_IP fields from each sourcetype and only show the matching results.
Am I headed in the right direction? Any help would be great!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-09-2013 05:35 PM

No. The syntax for subsearch is more like:

sourcetype=estreamer [ sourcetype=osint | dedup src_ip | return src_ip ] | top limit 100 src_ip

or you can reverse the two sourcetypes, and generally it's better to have the one with fewer events/values for src_ip in the subsearch.

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-09-2013 05:35 PM

No. The syntax for subsearch is more like:

sourcetype=estreamer [ sourcetype=osint | dedup src_ip | return src_ip ] | top limit 100 src_ip

or you can reverse the two sourcetypes, and generally it's better to have the one with fewer events/values for src_ip in the subsearch.

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-14-2013 08:45 AM

no, in that case you can rename the field, e.g., 

... [ sourcetype=osint | dedup dst_ip | return src_ip=dst_ip ] ...

or as you said, alias them permanently. But you have to make the inner field match what's in the outer search.

0 Karma
Reply
Solved! Jump to solution

aswanda
Engager
‎03-13-2013 09:42 PM

Is there a way to correlate the same query but say src_ip from one source and dst_ip from the other?
I think your answer will work if I create field aliases, but for other types of correlations that don't have a common field - is it still possible?

0 Karma
Reply
Get Updates on the Splunk Community!

New Year, New Changes for Splunk Certifications

As we embrace a new year, we’re making a small but important update to the Splunk Certification ...

[Puzzles] Solve, Learn, Repeat: Unmerging HTML Tables

[Puzzles] Solve, Learn, Repeat: Unmerging HTML TablesFor a previous puzzle, I needed some sample data, and ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...