Hi Guys,
I have a question about the data model. Eventually, I want to create complex correlation rules by finding mutual indications between different log sources. In this case, the mutual indication can be a username.
I'm looking for two different ways to make this happen(there might be a third or fourth way, Maybe sub search or join): Don't focus on use-case logic this is just an example:
Lets say that I have a base query which is: sourcetype="WinEventLog" EventCode=4625 ( it has Authentication failures for "korhan" in the user field. )
Now, I want to join an event from the data model. From proxy logs, the data model has malware URLs for users access to. |from datamodel:"proxylog"."malwarelog" (Query of data model:index=main sourcetype=syslog category=Malware |stats count by user uri category)
When I run this data model query, it basically gives me: user: korhan and count: 3, let say.
Now there are two events, Microsoft and Proxy logs.
I want to say that if auth failure happens first and if the same user is also in the data model, I want to create an alarm.
When i tried to combine two queries together, did not able to find how to create a relation in user fields.
sourcetype="WinEventLog" EventCode=4625 |from datamodel:"proxylog"."malwarelog" | fields user
"Where" is not working for the data model. (It works for lookup table). Do you have any idea?
you can recommend me anything else instead of the data model. The data model seemed to me more effective rather than join queries.
Thanks for the help!
I found this: https://community.splunk.com/t5/Knowledge-Management/How-do-you-write-a-correlation-search-with-a-da...
but did not work. It returns 0 info.
Korhan
