Query Correlation

cesaralzaga · ‎05-24-2013

I was hoping that someone could help me out with a query. I am trying to correlate a DNS request to the firewall IP that was being forward. The firewall shows only the IP related to a rule that fired and I am trying to create a query that will capture the domain name query (DNS) that was associated with the rule(FIREWALL).

I have sourcetype=named query from IP: 72.9.231.10 Port:3391 Name: Paimia.com Destination: 141.101.116.157
sourectype=snort_alerts Blackhole_toolkit 141.101.116.157

I want to build a guery which will show all events from the souretype=snort Blackhole_tookit rule and destination IPs in common with destination IPs in the sourcetype=named.

kml_uvce · ‎05-24-2013

with your less information ,i built below query... here its give output from both sourcetypes and common ip.

sourcetype=snort_alerts "Blackhole_toolkit" |join ip [search sourcetype=named]

kamal singh bisht

kml_uvce · ‎05-29-2013

Please vote or accept this as ans

kamal singh bisht

cesaralzaga · ‎05-29-2013

Thanks for Your help. It was spot on.

kristian_kolb · ‎05-24-2013

without posting any sample events, it's going to be hard for anybody to help you.

Query Correlation

New Year. New Skills. New Course Releases from Splunk Education

Splunk and TLS: It doesn't have to be too hard

Faster Insights with AI, Streamlined Cloud-Native Operations, and More New Lantern ...

Join the Conversation

Query Correlation

New Year. New Skills. New Course Releases from Splunk Education

Splunk and TLS: It doesn't have to be too hard

Faster Insights with AI, Streamlined Cloud-Native Operations, and More New Lantern ...