Splunk Search

Correlation from Data Model

korhanacar
Engager

Hi Guys,

I have a question about the data model.   Eventually, I want to create complex correlation rules by finding mutual indications between different log sources.     In this case, the mutual indication can be a username.  

I'm looking for two different ways to make this happen(there might be a third or fourth way, Maybe sub search or join):  Don't focus on use-case logic this is just an example:

 Lets say that I have a base query which is: sourcetype="WinEventLog" EventCode=4625 ( it has Authentication failures for "korhan" in the user field. )

Now, I want to join an event from the data model.  From proxy logs, the data model has malware URLs for users access to. |from datamodel:"proxylog"."malwarelog"  (Query of data model:index=main sourcetype=syslog category=Malware |stats count by user uri category)

When I run this data model query, it basically gives me:  user: korhan and count: 3, let say. 

Now there are two events, Microsoft and Proxy logs.

I want to say that if auth failure happens first and if the same user is also in the data model, I want to create an alarm. 

When i tried to combine two queries together, did not able to find how to create a relation in user fields. 

sourcetype="WinEventLog" EventCode=4625 |from datamodel:"proxylog"."malwarelog" | fields user

"Where" is not working for the data model. (It works for lookup table). Do you have any idea? 

you can recommend me anything else instead of the data model.  The data model seemed to me more effective rather than join queries. 

Thanks for the help!

I found this: https://community.splunk.com/t5/Knowledge-Management/How-do-you-write-a-correlation-search-with-a-da...

but did not work. It returns 0 info. 

Korhan

Labels (7)
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...