Splunk Enterprise

How to correlate two diferent searches into one event

franciscof
Explorer

Hi guys, I need to configure an alert when people access as root in a server and for that I have two types of events: one that contains when people accesses as root:

Oct 16 15:52:55 *host* sshd[10873]: Accepted password for root from *IP* port 49745 ssh2

And another that contains the person that was using that IP (used to log as root) in the moment the conexion was established:

Oct 16 17:09:11 *host* openvpn[20236]: *user*/:1194 MULTI_sva: pool returned IPv4=*IP*, IPv6=(Not enabled)

So I need to correlate this two types of events in order to know which persons were using the IP that logged as root in the moment that happened. This is the search i've been using:

index=wineventlog eventtype=windows_logon_success
| eval so="Windows"
| eval user=if(isnull(Nombre_de_cuenta),user,mvindex(Nombre_de_cuenta, -1))
| append [search index=os source="/var/log/secure" user="root" eventtype=sshd_authentication
| eval so="Linux"]
| rex field=dest "(?<dest>.+?)\."
| rex field=src "(?<src_hostname>.+?)\."
| eval src=if(len(src_hostname)>2,src_hostname,src)
| where src!=dest
| search user=root
| rex "m\s(?<IP>\S+)"
| search IP=*
| append [search index=gw_pfsense "openvpn" IPv4=*]
| rex "for\s(?<root>\S+)"
| convert ctime(_time) as time

 

What else could I try?

Thanks in advance

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...