Splunk Enterprise Security

Correaltion Search : Detect if an Acces Apache Log exist for a user who has triggered an event

yanisA
Explorer

Hello,

We need to develop a Correlation Search to implement this algorithm :

If a specific custom event (here tagged as index="custom_app" categorie="custom_log") occures for one user we trigger an alert if there is no access apache log for the same user.

I have tried the following correlation search with trigger conditions : Trigger alert when Number of Results is equal to 0.

index="linux_apache" sourcetype="apache:access:kv"

[search index="custom_app" categorie="custom_log"

| top limit=1 user

| table user]

| table user

| dedup user

 

Thanks by advance for your help regarding this topic

Labels (1)
0 Karma
1 Solution

venkatasri
Influencer

Hi @yanisA 

As i understood you want to return top user to main search linux* and if there is a single table entry then you want to trigger it. You can try following query

 

index="linux_apache" sourcetype="apache:access:kv"
[search index="custom_app" categorie="custom_log"
| top limit=1 user
| return user]
| stats count by user

 

 

---

An upvote would be appreciated and Accept solution if it helps!

 

View solution in original post

venkatasri
Influencer

@yanisA Hope it helped, Appreciate if you could Accept solution.

venkatasri
Influencer

Hi @yanisA 

As i understood you want to return top user to main search linux* and if there is a single table entry then you want to trigger it. You can try following query

 

index="linux_apache" sourcetype="apache:access:kv"
[search index="custom_app" categorie="custom_log"
| top limit=1 user
| return user]
| stats count by user

 

 

---

An upvote would be appreciated and Accept solution if it helps!

 

View solution in original post

yanisA
Explorer

Hi @venkatasri ,

Yes that's it ! It seems to work perfectly !

Thank you so much for your help 🙂

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.