I need assistance building a search that looks back in time 5 minutes to check and see if fields are present. If so I do not need it to return any results. This is correlating two different security logs
sourcetype=a field=1 field=2 field=3 is used to look back 5 minutes against
sourcetype=b field=1 field=2 field=3
If there is a match, return no results. If no match, return sourcetype=a field=1 field=2 field=3 results.
Any assistance would be appreciated.
@jodros please add more relevant details. Do you want to correlate based on field names or values of the fields? i.e. field1, field2 and field3 to be present in the event? Or for field1=<value1>, field2=<value2> and field3=<value3> you want to correlate when the values value1, value2 and value3 are the same for the three fields? Please add some sample cooked up data for the two events and the final expected output so that the community can assist you better!
Thanks @niketnilay . Both sourcetypes have the same fields, (field 1, field 2, field 3). I need to know when they also have the same values. This is for a security alert. The alert should search for the three fields in sourcetype "a" then look back in time from that point back 5 minutes (-5m@m to now) for the same fields and values in sourcetype "b". If the same fields and values are found, then no alert should fire. If the same fields and values are not found, then an alert should fire with the data from sourcetype "a" (field 1, field 2, field 3).
I am trying something like this, but it is not working.
(sourcetype=apple action=blocked) | append [ search sourcetype=banana | rename source as bsource destination as bdestination url as burl] | eval contained = if(bsource != source, "false", if(bdestination != destination, "false", if(burl != url, "false", "true"))) | table bsource bdestination burl | where contained = false
Any help would be appreciated.
I think I got this working with transactions. Let me know if this is the best way or if there is a more cpu friendly way.
(sourcetype=apple action=blocked) OR (sourcetype=banana) | eval Stuff=coalesce(stuffa,stuffb) | transaction source destination Stuff url startswith="word" endswith="anotherword" keepevicted=true maxevents=2 | search sourcetype=banana closed_txn=0 | table _time source destination Stuff url
@jodros stats might be better way, but community would be able to assist better if you can provide some cooked up dummy data for events containing word and anotherword.
There are several examples on community for such kind of use case with stats as an alternative for transaction.