Splunk Enterprise Security

Correaltion Search : Detect if an Acces Apache Log exist for a user who has triggered an event

yanisA
Explorer

Hello,

We need to develop a Correlation Search to implement this algorithm :

If a specific custom event (here tagged as index="custom_app" categorie="custom_log") occures for one user we trigger an alert if there is no access apache log for the same user.

I have tried the following correlation search with trigger conditions : Trigger alert when Number of Results is equal to 0.

index="linux_apache" sourcetype="apache:access:kv"

[search index="custom_app" categorie="custom_log"

| top limit=1 user

| table user]

| table user

| dedup user

 

Thanks by advance for your help regarding this topic

Labels (1)
0 Karma
1 Solution

venkatasri
SplunkTrust
SplunkTrust

Hi @yanisA 

As i understood you want to return top user to main search linux* and if there is a single table entry then you want to trigger it. You can try following query

 

index="linux_apache" sourcetype="apache:access:kv"
[search index="custom_app" categorie="custom_log"
| top limit=1 user
| return user]
| stats count by user

 

 

---

An upvote would be appreciated and Accept solution if it helps!

 

View solution in original post

venkatasri
SplunkTrust
SplunkTrust

@yanisA Hope it helped, Appreciate if you could Accept solution.

venkatasri
SplunkTrust
SplunkTrust

Hi @yanisA 

As i understood you want to return top user to main search linux* and if there is a single table entry then you want to trigger it. You can try following query

 

index="linux_apache" sourcetype="apache:access:kv"
[search index="custom_app" categorie="custom_log"
| top limit=1 user
| return user]
| stats count by user

 

 

---

An upvote would be appreciated and Accept solution if it helps!

 

yanisA
Explorer

Hi @venkatasri ,

Yes that's it ! It seems to work perfectly !

Thank you so much for your help 🙂

0 Karma
Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...