Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Correlate between source-types (IDS + OSINT sources)

aswanda
Engager
‎03-09-2013 04:08 PM

I am trying to correlate the field src_IP between all my IDS alerts (sourcetype=estreamer) and OSINT data I am pulling from a custom script. The OSINT script scrapes websites for known bad attacker IP addresses and I would like to know if any of the src_IP's from my IDS alerts match any of the src_IP's from the OSINT data.

I was looking at subsearches, which seems to be the best way to correlate across different data sets, but I am not having much luck with the syntax.

What I tried was something like this:
sourcetype=estreamer | sourcetype=osint | top limit 100 src_IP | table src_IP

Which I thought should compare the two src_IP fields from each sourcetype and only show the matching results.
Am I headed in the right direction? Any help would be great!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-09-2013 05:35 PM

No. The syntax for subsearch is more like:

sourcetype=estreamer [ sourcetype=osint | dedup src_ip | return src_ip ] | top limit 100 src_ip

or you can reverse the two sourcetypes, and generally it's better to have the one with fewer events/values for src_ip in the subsearch.

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-09-2013 05:35 PM

No. The syntax for subsearch is more like:

sourcetype=estreamer [ sourcetype=osint | dedup src_ip | return src_ip ] | top limit 100 src_ip

or you can reverse the two sourcetypes, and generally it's better to have the one with fewer events/values for src_ip in the subsearch.

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-14-2013 08:45 AM

no, in that case you can rename the field, e.g., 

... [ sourcetype=osint | dedup dst_ip | return src_ip=dst_ip ] ...

or as you said, alias them permanently. But you have to make the inner field match what's in the outer search.

0 Karma
Reply
Solved! Jump to solution

aswanda
Engager
‎03-13-2013 09:42 PM

Is there a way to correlate the same query but say src_ip from one source and dst_ip from the other?
I think your answer will work if I create field aliases, but for other types of correlations that don't have a common field - is it still possible?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...