Hello!
I try to build some complex search.
We try to build correlated search, which user ran the application and on what host. We using paloalto log to find apps and src_ip, Windows Security logs to find User and src_ip and DHCP Logs to find hostname on src_ip
We have recieved event from PALO ALTO firewall.
_time src_ip apps
We have recieved event from wineventlog:Security, what user was logged on to the machine with SAME ip
We have collect DHCP Logs to find Hostname by ip-address.

My search:

sourcetype=pan_traffic | join src_ip type=outer [search index=wineventlog EventCode=4624 | dedup user | join dest [search sourcetype=DhcpSrvLog signature="DNS dynamic update successful"] | rename dest AS dest_name | rename dest_ip AS src_ip] | table generated_time,log_subtype,src_ip,application,dest_name,user

I think, we must to compare "generated_time" with user login time. So we must to find intervals, when user login by host. I think we must to use transaction. So search:

sourcetype="WinEventLog:Security" EventCode=4624 OR EventCode=4634 action=success | dedup _time | eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0)) |eval User=lower(User)| search NOT User=*$ | transaction User maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1 | eval timeend=_time+duration | convert timeformat="%y-%m-%d %H:%M:%S" ctime(timeend) AS logoff_time | table User,_time,logoff_time

So, how to find intervals, when user online (and find current ONLINE users) and build table: generated_time,log_subtype,src_ip,application,dest_name,user

Thanks.

P.S. sorry for my English