Security

Correlation rule

or1515
Loves-to-Learn Everything

Hey splunkers, 
How can I correlate rules in Splunk from 2 data sources? 

The events for example:

OKTA - privilege granted
index="network" sourcetype="OktaIM2:log" eventType="user.account.privilege.grant"
+
Windows - Event Auditing disabled
index="WinEventLog" sourcetype="WinEventLog" EventCode="4719" AuditPolicyChanges="removed"

I want to correlate first Okta event and then the Windows event with the same field (for example Username) in 10 min.

 

 

Labels (2)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You can use the join command to join the two searches, or the stats command to gather events from both searches by user.

0 Karma

or1515
Loves-to-Learn Everything

Can you write an example please?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
index="network" sourcetype="OktaIM2:log" eventType="user.account.privilege.grant"
| join user [search index="WinEventLog" sourcetype="WinEventLog" EventCode="4719" AuditPolicyChanges="removed"]

or 

| multisearch [search index="network" sourcetype="OktaIM2:log" eventType="user.account.privilege.grant"]
 [search index="WinEventLog" sourcetype="WinEventLog" EventCode="4719" AuditPolicyChanges="removed"]
| stats values(*) as * by user
0 Karma

or1515
Loves-to-Learn Everything

Thanks for your response.

How can I set a time range between both searches?
Like search 2 occurring after 10 min?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You can use earliest and latest fields on each search to override the timepicker settings

0 Karma

or1515
Loves-to-Learn Everything

Again it's not what I search for.

I want to correlate 2 different indexes with different fields.

1. Cisco FW - suspicious IP address entered the internal network.  
2. Crowdstrike - Suspious Ip address scanning

In the Cisco the IP address fields wrote: IP_Address

In the Crowdstrike its: IPaddress

I want to combine both events by the same field (IP Address) with a time range between both events.

I hope there is a solution for that 🙂

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You could rename IPaddress to IP_Address

I don't understand your time requirement

0 Karma

or1515
Loves-to-Learn Everything

Alright, thanks.


1. For what the last row stands for?

| stats values(*) as * by user

 why the values are with *?

2. I want a time distance between the first search to the second search (Like 5-10 min).

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

| stats values(*) as * by user will gather all the fields (not internal fields) into multi value collections by user, renaming the collection with the name of the field i.e. the * means all fields. If you want the _time field to be included, you would probably have to add values(_time) as _time. You can then look at the times the events occurred to determine how far apart they are.

0 Karma

or1515
Loves-to-Learn Everything
Alright, but again its not what I need.

I want to make a time space between the first search to the second search.
In this what sparate between both searches is:
| join user​

Now, I want another time field that will sparate between the first search to the second search.
Like 1m/1h/1d between the first search to the second.
Than, it will become a correlation security search between 2 diffrent indexes that will combined with the same field and for example 1h different time.

Tags (1)
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...