Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Coorelate two events

Loepp
Observer
‎02-01-2024 02:22 AM

I have a challenge: 
When somebody are doing changes to our AD, it is done using a cyberark account. In order to finde the person behind the cyberark account, i need to go back and find the event were a person checks out an account. 

So i have and AD change at 01.27 with user=pam-serveradmin01   and
from cyberark at 01.05 account=pam-serveradmin and user=clt

How would you build this query 

Labels (1)
Labels
0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎02-01-2024 05:22 AM

A subsearch seems like the right answer here. 

A subsearch is enclosed in [] brackets inside your main search, runs first, and the results of that subsearch get fed back into the main search as search terms.

So you have two searches here, the search that finds the cyberark data, and the one that finds the AD data.  You didn't provide either of those separate searches, so I'm just making up some pseudosearches for those.

Let's say your cyberark search is something like

index=cyberark action=doAnImportantThing | dedup user

Which would return a short list of users involved in ... well, whatever doAnImportantThing is in this case.  Let's say 'Mary" and "John"

So, at its simplest, you just use that as your subsearch.

index=ad [search index=cyberark action=doAnImportantThing | dedup user]

Don't forget to add "search" to the subsearch, it's automatic in the main search, but not anywhere else.

So your subsearch runs, returns its data formatted like (( user=Mary ) OR (user=John) ), which means your outer search ends up being

index=ad ( ( user=Mary ) OR (user=John) )

And there you go.

You'll want to refer to here for more and more examples: https://docs.splunk.com/Documentation/Splunk/9.1.3/Search/Aboutsubsearches

Some other comnmands/stuff to know - 'earliest=...' and 'latest=...', and also check out the 'format' command which can alter how the subsearch get returned (to do things like AND, or whatever else if you want).

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-01-2024 05:48 AM

I assume the OP wants a bit more than that.

You have two different log sources.

One is a log from CyberArk PAS in which you have an event showing a connection from - let's say - user1 to account admin1 on server1. And then you have a normal AD log showing some sensitive action. And the idea is to pull the user1 from PAS log and insert it into the AD log.

The problem here, and I'm speaking not as Splunk user but as a certified CyberArk PAS admin 🙂 is that there doesn't have to be a common field to join those two events because you can, for example have a connection initiated to a server's IP address but the AD logs would only contain the server's hostname.

So it's not that easy due to the nature of the events. In some specific cases you probably can do that, but there is no general way for this.

OTOH, completely regardless of Splunk, you can do reporting within the PAS itself and can use the PTA solution available probably with your PAS license entitlement to generate alerts in case of activity you want to find but that's a completely different story - for another forum.

0 Karma
Reply

Loepp
Observer
‎02-06-2024 01:50 AM

I can see a little more information is need: 
I can finde the user who checks out the cyberark account .. "PAM-DomainAdmin*"  by this search ... It is the suser that is of interesset 

index="cyberark" duser="PAM-DomainAdmin*" ("cn2=(Action: Connect)" OR command="Retrieve password")
| rename cn2 as Why
| table _time, user, suser, src, command, Why

Finding the action created by the user has done as PAM-admin is done as:

index=wineventlog source=wineventlog:security EventID IN (4756, 4728, 4732) src_user="PAM-DomainAdmin*"

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-08-2024 06:57 AM

Yes, I understand. But this is a relatively complicated thing.

1. Unless you have exclusive access enabled on your account, you have the possibility of two people connecting at the same time to the destination system. You can't distinguish between them.

2. Since the action form one search occurs before the action from another search, it's not as easy as just matching by time and host. I think I'd try to pull both searches into one result set then "populate down" the value from the PAS user to the windows events using streamstats. (or try to use transaction but using this command is generally not advised unless you have really no other option).

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...