Use Case: Correlate logon events from a Windows desktop to events on the domain controller.
Sample (shortened) event from the desktop:
CEF:0|Microsoft|Microsoft Windows||Security:528|Successful Logon|Low| eventId=9484152 externalId=528 msg=RemoteInteractive: A user logged on to this computer remotely using Terminal Services or a Remote Desktop connection. art=1261605081785 src=10.150.28.43 suser=svc_eiq duser=svc_eiq cn1=10 cn1Label=LogonType dvc=10.151.113.33
Sample (shortened) events from the domain controller:
CEF:0|Microsoft|Microsoft Windows||Security:540|Successful Network Logon|Low| eventId=110125027 externalId=540 msg=Network: A user or computer logged on to this computer from the network. art=1261604956463 src=10.151.113.33 suser=- duser=svc_eiq cn1=3 cn1Label=LogonType dvc=10.151.118.38
CEF:0|Microsoft|Microsoft Windows||Security:540|Successful Network Logon|Low| eventId=110125025 externalId=540 msg=Network: A user or computer logged on to this computer from the network. art=1261604956463 src=10.151.113.33 suser=- duser=svc_eiq cn1=3 cn1Label=LogonType dvc=10.151.118.38
CEF:0|Microsoft|Microsoft Windows||Security:540|Successful Network Logon|Low| eventId=110124994 externalId=540 msg=Network: A user or computer logged on to this computer from the network. art=1261604956197 src=10.151.113.33 suser=- duser=svc_eiq cn1=3 cn1Label=LogonType dvc=10.151.118.38
CEF:0|Microsoft|Microsoft Windows||Security:540|Successful Network Logon|Low| eventId=110124964 externalId=540 msg=Network: A user or computer logged on to this computer from the network. art=1261604955991 src=10.151.113.33 suser=- duser=svc_eiq cn1=3 cn1Label=LogonType dvc=10.151.118.38
The events on the domain controller occur within 1 second of the logon event being generated on the endpoint. The events on the DC and endpoint are linked by the dvc field on the endpoint and the src field on the DC. The goal is to present linked events occurring within 1 minute of each other as a single transaction.
Proposed Splunk transaction search:
source=*event*.log (suser=svc_eiq OR duser=svc_eiq) (externalId=528 OR externalId=540) (cn1=10 OR cn1=2 OR cn1=3) | transaction dvc src maxspan=1m maxpause=3s
The result is 2 events/transactions instead of 1. The transaction command first groups all events with the same dvc value, then events with the same src value.
How do I get a transaction based on the same value of both dvc and src? Is it possible to accomplish this with the transaction command?
An alternate approach we've tried is use a subsearch. The inner search first finds the events of interest on the desktop then passes the dvc field to the outer search renamed as the src field. The complete search will present the relevant domain controller events. The difficulty with this approach is with introducing the time dimension--events occurring within 1 minute of each other. It's not clear to me how to pass time as the art field from the inner to outer search without affecting the search criteria of the outer search. We want to do something like this (but it doesn't work):
sourcetype=cef externalId=540 cn1=3 [search sourcetype=cef suser=svc_* externalId=528 (cn1=10 OR cn1=2) | top dvc by suser | fields + dvc,suser,art | rename dvc as src | rename suser as duser | rename art as start_art] | eval delta_art=start_art-art | where delta_art<1m
