Splunk Search

Is there a way in Splunk to determine how a user arrived at a destination IP?

redhonda03_2
Engager

Is there a way in Splunk to determine how a user arrived at a destination IP? Did they click a link from a certain webpage, or did they go there directly?

Another way to look at it is if there is a way to separate user activity from webpage activity. Websites automatically load advertisements and other content automatically within a second, or a very small time interval. Users on the other hand are scrolling, clicking on a link, then clicking on another link which takes a significantly longer amount of time.

Being able to consolidate web page activity where dozens of destination addresses are accessed within 5 seconds into a single event where just the first record is shown would help to reduce the number of results returned when you're looking at a time window containing several thousand records.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @redhonda03_2,

the only answer to this question brings two other questions:

  • have you these information in the logs from the proxy or the web server?
  • did you ingested these logs in your Splunk?

if the answer is yes to both my answers, it's possible.

You have only to correlate events identifying the transaction keys (e.g. the username).

Ciao.

Giuseppe

0 Karma

redhonda03_2
Engager

Hi Guiseppe,

Regarding you questions, yes we have have web logs and yes they are being set to splunk. You mentioned "transaction keys", is this different that values listed in one of the 'interesting fields' listed in the Splunk search?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @redhonda03_2,

as "transaction_key" I mean a common field that can be used to correlate different data, e.g. username, transaction_id, etc....

Having this field you can correlate data from different data source, otherwise it's really difficoult to create a correlation.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

Overwhelmed SOC? Splunk ES Has Your Back Tool sprawl, alert fatigue, and endless context switching are making ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...