Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Alert if Fortigate and Clearpass events match

nielsg97
Engager
‎04-05-2018 01:24 AM

HI,

i've two datasources. Clearpass and Fortigate. I want to trigger an alarm if the Fortigate log contains Virus and Clearpass contains android. Is it possible in splunk to match those two based on src IP.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aakwah
Builder
‎04-05-2018 02:27 AM 
(index=security sourcetype=fortigate) OR (index=security sourcetype=clearpass) 
| transaction src_ip keepevicted=true maxspan=30s
| search dvc=Android AND alert=virus

View solution in original post

Reply
Solved! Jump to solution
Solution

aakwah
Builder
‎04-05-2018 02:27 AM 
(index=security sourcetype=fortigate) OR (index=security sourcetype=clearpass) 
| transaction src_ip keepevicted=true maxspan=30s
| search dvc=Android AND alert=virus
Reply
Solved! Jump to solution

nielsg97
Engager
‎04-05-2018 03:22 AM

Thanks helps a lot. but how to match src_ip if names are differtent in both events. in Fortigate its "src_ip" but in Clearpass its ip_address

0 Karma
Reply
Solved! Jump to solution

aakwah
Builder
‎04-05-2018 05:09 AM

In similar use case, I created an alias for this field in props.conf under sourcetype stanza

[Clearpass sourcetype]

FIELDALIAS-ip_address =  ip_address as src_ip
0 Karma
Reply
Solved! Jump to solution

splunker12er
Motivator
‎04-05-2018 04:45 AM

*|rename ip_address as src_ip |transaction.....

Reply
Solved! Jump to solution

splunker12er
Motivator
‎04-05-2018 02:23 AM

try Fortinet FortiGate App for Splunk : link : https://splunkbase.splunk.com/app/2800/
add-on : https://splunkbase.splunk.com/app/2846/

docs: https://www.fortinet.com/content/dam/fortinet/assets/alliances/SolutionBrief-Fortinet-Splunk.pdf

The App can absorb a high volume of elevated logs in real time and provide insights to
examine advanced threat intent, widespread backdoor viruses, and unexpected information
flows in a single pane of glass, enabling quick visualization of everything that’s happening in
your datacenter and cloud.

clearpass splunk app link : https://splunkbase.splunk.com/app/1895/
Aruba ClearPass App for Splunk Enterprise

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...