Splunk Enterprise Security

Correlate two search results.

cpaul8
New Member

Hello,

I have a two queries from two DM (Authentication and Change-Analysis).

Task: Basically, I need to exclude the users who have changed the password themselves in the last 3 days for a brute force detection.

I am having hardtime in merge two results from two DM's. The query which is using Authentication DM is grouped src and the other query which is using Change-analysis does not src fieled, but both have "user" field in common. How do I merge them?

can we join these two queries using common field "user" or subsearch?

The below is not the actual working. but it tells that I need to join the subsearch. Please let me know if you still need more clarication on this.

Sample:
| from datamodel:"Authentication"."Authentication"
| search user!=[search index=oswinsec earliest=-72h@h latest=-1h@h tag=account ((EventCode=4723 status=success) OR (EventCode=4738 action=modified)) user!="$" | stats dc(EventCode) as count by user | where count=2 | table user]
| stats count(eval('action'=="failure")) as failure,count(eval('action'=="success")) as success by src

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...