@gcusello 
Hi,

My requirement to find the where a user triggers both PDM and Encrypted file alerts in a short period of time (like 2 hours)
Datasource is of DLP

Ciao.

Hi @AL3Z,

could you share some sample of these two kind of alerts?

indicating the correlation key between them?

Ciao.

Giuseppe

..

Pls use above sample event for this use case
when  User triggers diferent PDM alerts in a short period of time (EX Block on Gmail and block on external apps)...

hi @AL3Z,

this is one alert sample and the other?

could you highlight in bold the correlation key to use?

Ciao.

Giuseppe

@gcusello 

Please find the sample event key points highlighted with red colour 

Hi @AL3Z,

this is one kind of alert (PDM I suppose), can you share a sample of the other kind of alert or does it have the same format and only different message?

Ciao.

Giuseppe 

@gcusello could you brief about  PDM abbrevation and concept

Hi @AL3Z,

PDM is an acronym that I don't know and that you used.

In few words, you have to:

• identify the rules to filter only the events you need in both data sources (e.g. index and sourcetype), for this reason I asked two samples of data, one for each data source to correlate,
• then identify a correlation key (e.g. user), a common field in both the data sources, if they have a different file name you have to rename one of them to have the same,
• and then define the rules (e.g. user present in both the data sources) to apply a final filter,

in this way , you should have something like this, to find events where user is present in both data sources:

(index=index1 sourcetype=sourcetype1) OR (index=index2 sourcetype=sourcetype2)
| stats dc(index) AS index_count values(index) AS index BY user
| where index_count=2

 Ciao.

Giuseppe

@gcusello ,

Hi,

You're on different track my requirement is if single user triggers an alert say alert_name other than pdm in between 2 hours more than 3 times .

How could we achieve it using eval .

Thanks 👍

Hi @AL3Z,

so the condition is triggering an alert, not that the alert must be in both the indexes,

in this case, please try the same with a different final condition:

(index=index1 sourcetype=sourcetype1) OR (index=index2 sourcetype=sourcetype2)
| stats dc(index) AS index_count values(index) AS index values(pdm) AS pdm BY user
| where index_count=1 AND index=index1 

the thing that I don't understand is what's the condition for pdm.

Ciao.

Giuseppe