Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to correlate events from two devices in splunk and make alert from it

dsdeepak
Explorer
‎06-16-2020 06:25 AM

Scenario: I have simulated an attack from PC1 to PC2 which has generated logs on both machines as below. Now want to create an alert where both events ID are captured in splunk in time frame of 30 sec.

PC1

Log source: Windows

Log Event id = 4648

PC1

Log source: Windows

 Log Event id = 4624

 

Thanks

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-16-2020 06:33 AM

hi @dsdeepak ,

let me understand:

you want to correlate events on PC1 with EventCode=4648 with events on PC2 with EventCode=4624, is it correct?

Is there a key to correlate events or do you want to find only, in the same timeframe, if there are events on PC1 with EventCode=4648 and events on PC2 with EventCode=4624?

If this is your need, try something like this:

| index=wineventlog (host=PC1 EventCode=4648) OR (host=PC2 EventCode=4624)
| stats dc(EventCode) AS eventcodes
| where eventcodes=2

 But in this way you only know that there are events on PC1 with EventCode=4648 and events on PC2 with EventCode=4624, is this sufficient for you?

Ciao.

Giuseppe

Reply

dsdeepak
Explorer
‎06-21-2020 12:03 AM

Thank you.. 

Reply

DalJeanis
Legend
‎06-16-2020 07:13 PM

@gcusello  You probably also want to give him the code for the "30 second" part of his request..  Here's one cut at that:

 

| index=wineventlog (host=PC1 EventCode=4648) OR (host=PC2 EventCode=4624)
| fields _time EventCode host
| sort 0 _time EventCode host 
| streamstats time_window=31s values(EventCode) AS eventcodes dc(EventCode) AS bothpresent list(host) as hosts 
| where bothpresent=2

 

Or, if you needed the _raw from the two events...

 

| index=wineventlog (host=PC1 EventCode=4648) OR (host=PC2 EventCode=4624)
| fields _time EventCode host
| sort 0 _time EventCode host 
| streamstats time_window=31s values(EventCode) AS eventcodes dc(EventCode) AS bothpresent list(host) as hosts values(_raw) as Raw
| where bothpresent=2

 

Also, @dsdeepak , you might want to correlate some other field, such as the user field on both machines, into the search. 

If your hypothetical attacker would have the same Windows user field on both machines, then you need a little more code.  All this search will do is detect when there is ANY 4648 on one machine and 4624 on the other, not necessarily connected to each other. 

 

 

Reply

dsdeepak
Explorer
‎06-22-2020 04:50 AM

Thank you everyone for your answers and it was very helpful.  I have modified query  as per my requirement. However i have couple of queries.

1. what if difference between value and list fields. 

2. Is it possible that i can contain these chain of events between two hosts only.

3. By using below query i am getting output as table. however is it possible that i can relate host column values with eventcodes columns values like which events in eventcodes column is bind with host value in host column. you can see table in attachment. 

index=windows host=* (EventCode=4648 OR EventCode=4672 OR (EventCode=4624 AND Logon_Type=3)) Account_Name!=*$
| fields _time EventCode host Account_Name Logon_Type
| streamstats time_window=120s values(EventCode) AS eventcodes dc(EventCode) AS eventcode_counts values(host) as hosts values(_raw) as raw values(Account_Name) as users values(Logon_Type) as logontype
| where eventcode_counts=3
| table _time hosts eventcodes eventcode_counts users logontype

Preview file
100 KB
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...