Hello!
I try to build some complex search.
We try to build correlated search, which user ran the application and on what host. We using paloalto log to find apps and src_ip, Windows Security logs to find User and src_ip and DHCP Logs to find hostname on src_ip
We have recieved event from PALO ALTO firewall.
_time src_ip apps
We have recieved event from wineventlog:Security, what user was logged on to the machine with SAME ip
We have collect DHCP Logs to find Hostname by ip-address.
My search:
sourcetype=pan_traffic | join src_ip type=outer [search index=wineventlog EventCode=4624 | dedup user | join dest [search sourcetype=DhcpSrvLog signature="DNS dynamic update successful"] | rename dest AS dest_name | rename dest_ip AS src_ip] | table generated_time,log_subtype,src_ip,application,dest_name,user
This search not correct, because it search last login user on the host.
I think, we must to compare "generated_time" with user login time. So we must to find intervals, when user login by host. I think we must to use transaction. So search:
sourcetype="WinEventLog:Security" EventCode=4624 OR EventCode=4634 action=success | dedup _time | eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0)) |eval User=lower(User)| search NOT User=*$ | transaction User maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1 | eval timeend=_time+duration | convert timeformat="%y-%m-%d %H:%M:%S" ctime(timeend) AS logoff_time | table User,_time,logoff_time
But how how to find online users?? And by host??
So, how to find intervals, when user online (and find current ONLINE users) and build table: generated_time,log_subtype,src_ip,application,dest_name,user
Thanks.
P.S. sorry for my English
