Hey splunkers,
How can I correlate rules in Splunk from 2 data sources?
The events for example:
OKTA - privilege granted
index="network" sourcetype="OktaIM2:log" eventType="user.account.privilege.grant"
+
Windows - Event Auditing disabled
index="WinEventLog" sourcetype="WinEventLog" EventCode="4719" AuditPolicyChanges="removed"
I want to correlate first Okta event and then the Windows event with the same field (for example Username) in 10 min.
You can use the join command to join the two searches, or the stats command to gather events from both searches by user.
Can you write an example please?
index="network" sourcetype="OktaIM2:log" eventType="user.account.privilege.grant"
| join user [search index="WinEventLog" sourcetype="WinEventLog" EventCode="4719" AuditPolicyChanges="removed"]
or
| multisearch [search index="network" sourcetype="OktaIM2:log" eventType="user.account.privilege.grant"]
[search index="WinEventLog" sourcetype="WinEventLog" EventCode="4719" AuditPolicyChanges="removed"]
| stats values(*) as * by user
Thanks for your response.
How can I set a time range between both searches?
Like search 2 occurring after 10 min?
You can use earliest and latest fields on each search to override the timepicker settings
Again it's not what I search for.
I want to correlate 2 different indexes with different fields.
1. Cisco FW - suspicious IP address entered the internal network.
2. Crowdstrike - Suspious Ip address scanning
In the Cisco the IP address fields wrote: IP_Address
In the Crowdstrike its: IPaddress
I want to combine both events by the same field (IP Address) with a time range between both events.
I hope there is a solution for that 🙂
You could rename IPaddress to IP_Address
I don't understand your time requirement
Alright, thanks.
1. For what the last row stands for?
| stats values(*) as * by user
why the values are with *?
2. I want a time distance between the first search to the second search (Like 5-10 min).
| stats values(*) as * by user will gather all the fields (not internal fields) into multi value collections by user, renaming the collection with the name of the field i.e. the * means all fields. If you want the _time field to be included, you would probably have to add values(_time) as _time. You can then look at the times the events occurred to determine how far apart they are.
Alright, but again its not what I need.
I want to make a time space between the first search to the second search.
In this what sparate between both searches is:| join userNow, I want another time field that will sparate between the first search to the second search.
Like 1m/1h/1d between the first search to the second.
Than, it will become a correlation security search between 2 diffrent indexes that will combined with the same field and for example 1h different time.