Query Correlation

cesaralzaga · ‎05-24-2013

I was hoping that someone could help me out with a query. I am trying to correlate a DNS request to the firewall IP that was being forward. The firewall shows only the IP related to a rule that fired and I am trying to create a query that will capture the domain name query (DNS) that was associated with the rule(FIREWALL).

I have sourcetype=named query from IP: 72.9.231.10 Port:3391 Name: Paimia.com Destination: 141.101.116.157
sourectype=snort_alerts Blackhole_toolkit 141.101.116.157

I want to build a guery which will show all events from the souretype=snort Blackhole_tookit rule and destination IPs in common with destination IPs in the sourcetype=named.

kml_uvce · ‎05-24-2013

with your less information ,i built below query... here its give output from both sourcetypes and common ip.

sourcetype=snort_alerts "Blackhole_toolkit" |join ip [search sourcetype=named]

kamal singh bisht

kml_uvce · ‎05-29-2013

Please vote or accept this as ans

kamal singh bisht

cesaralzaga · ‎05-29-2013

Thanks for Your help. It was spot on.

kristian_kolb · ‎05-24-2013

without posting any sample events, it's going to be hard for anybody to help you.

Query Correlation

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation

Query Correlation

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...