Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to correlate events from two devices in splunk and make alert from it

dsdeepak
Explorer
‎06-16-2020 06:25 AM

Scenario: I have simulated an attack from PC1 to PC2 which has generated logs on both machines as below. Now want to create an alert where both events ID are captured in splunk in time frame of 30 sec.

PC1

Log source: Windows

Log Event id = 4648

PC1

Log source: Windows

 Log Event id = 4624

 

Thanks

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-16-2020 06:33 AM

hi @dsdeepak ,

let me understand:

you want to correlate events on PC1 with EventCode=4648 with events on PC2 with EventCode=4624, is it correct?

Is there a key to correlate events or do you want to find only, in the same timeframe, if there are events on PC1 with EventCode=4648 and events on PC2 with EventCode=4624?

If this is your need, try something like this:

| index=wineventlog (host=PC1 EventCode=4648) OR (host=PC2 EventCode=4624)
| stats dc(EventCode) AS eventcodes
| where eventcodes=2

 But in this way you only know that there are events on PC1 with EventCode=4648 and events on PC2 with EventCode=4624, is this sufficient for you?

Ciao.

Giuseppe

Reply

dsdeepak
Explorer
‎06-21-2020 12:03 AM

Thank you.. 

Reply

DalJeanis
Legend
‎06-16-2020 07:13 PM

@gcusello  You probably also want to give him the code for the "30 second" part of his request..  Here's one cut at that:

 

| index=wineventlog (host=PC1 EventCode=4648) OR (host=PC2 EventCode=4624)
| fields _time EventCode host
| sort 0 _time EventCode host 
| streamstats time_window=31s values(EventCode) AS eventcodes dc(EventCode) AS bothpresent list(host) as hosts 
| where bothpresent=2

 

Or, if you needed the _raw from the two events...

 

| index=wineventlog (host=PC1 EventCode=4648) OR (host=PC2 EventCode=4624)
| fields _time EventCode host
| sort 0 _time EventCode host 
| streamstats time_window=31s values(EventCode) AS eventcodes dc(EventCode) AS bothpresent list(host) as hosts values(_raw) as Raw
| where bothpresent=2

 

Also, @dsdeepak , you might want to correlate some other field, such as the user field on both machines, into the search. 

If your hypothetical attacker would have the same Windows user field on both machines, then you need a little more code.  All this search will do is detect when there is ANY 4648 on one machine and 4624 on the other, not necessarily connected to each other. 

 

 

Reply

dsdeepak
Explorer
‎06-22-2020 04:50 AM

Thank you everyone for your answers and it was very helpful.  I have modified query  as per my requirement. However i have couple of queries.

1. what if difference between value and list fields. 

2. Is it possible that i can contain these chain of events between two hosts only.

3. By using below query i am getting output as table. however is it possible that i can relate host column values with eventcodes columns values like which events in eventcodes column is bind with host value in host column. you can see table in attachment. 

index=windows host=* (EventCode=4648 OR EventCode=4672 OR (EventCode=4624 AND Logon_Type=3)) Account_Name!=*$
| fields _time EventCode host Account_Name Logon_Type
| streamstats time_window=120s values(EventCode) AS eventcodes dc(EventCode) AS eventcode_counts values(host) as hosts values(_raw) as raw values(Account_Name) as users values(Logon_Type) as logontype
| where eventcode_counts=3
| table _time hosts eventcodes eventcode_counts users logontype

Preview file
100 KB
0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...