I'm trying to create a query that will provide me with events that use two indexes. The results are to show events where 2 consecutive emails were blocked (by a specific endpoint tool = index1) followed by a successfully sent email (logged by another endpoint tool = index2).
event/log=((block#1and block#2) and successful sent email)
I've been running into issues-this what I currently have:
index=index1 field1=SMTP action=blocked
| rex field=suid "(?<UserName>.+?)@"
| eval UserName=upper(UserName)
| rex "fileName"=(?<attachments>.+)\s*fileHash=*+"
| rex field=_raw "(?Subject>(?<=cs\=)(.*)(?=suid\=))"
The first index contains data from an endpoint security tool that can block outbound/external emails. The second index contains data from another endpoint tool that archives emails (I can see all successful outbound and inbound emails that are not blocked).
So essentially, I want to see if user ABC123 gets two email blocks and within 30 minutes of those two blocks (index1), sends a successful email that is not blocked (index2).