Hi,
I have 2 sourcetypes: wineventlog:security
and WinEventLog:Microsoft-Windows-Sysmon/Operational
. I have extracted a field from each of them:
[WinEventLog:Microsoft-Windows-Sysmon/Operational]
Extract-LogonIDSysmon = (LogonId:)(\s)*(\t)*(?P<LogonIDSysmon>(0x)?[0-9a-f]+)
[WinEventLog:Security]
EXTRACT-LogonID = (\s)*(\t)*(Logon ID:)(\s)*(\t)*(?P<LogonID>(0x)?[0-9a-f]+)
I need to search the events that match those values grouped together. I tried to use the transaction command and thought this could be done by creating an alias for those fields:
[WinEventLog:Microsoft-Windows-Sysmon/Operational]
FIELDALIAS-LogonIdMulti = LogonIDSysmon AS LogonIdMulti
[WinEventLog:Security]
FIELDALIAS-LogonIdMulti = LogonID AS LogonIdMulti
When I run the search:
index=* (sourcetype="wineventlog:security" OR sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational") host="progressive.lightech.ar" | transaction LogonIdMulti | sort -_time
Only events from sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational
appears.
When I run the search:
index=* sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" host="progressive.lightech.ar" | transaction LogonIdMulti | sort -_time
I have results and I see the field LogonIdMulti
on the left as the other fields.
But when I run the search:
index=* sourcetype="wineventlog:security" host="progressive.lightech.ar" | transaction LogonIdMulti | sort -_time
I have no results and the field LogonIdMulti
doesn't appear.
But when I run:
index=* sourcetype="wineventlog:security" host="progressive.lightech.ar" | transaction LogonID | sort -_time
I have results. Although the field LogonIdMulti
is not listed on the left.
Which is the correct way to achieve my purpose of having all the events that match those fields together as a transaction?
Thank you very much.
Think I found the solution:
index=* (sourcetype="wineventlog:security" OR sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational") host="progressive*" | eval LogonIdMix = coalesce(LogonID, LogonIDSysmon) | sort -_time | transaction LogonIdMix
Think I found the solution:
index=* (sourcetype="wineventlog:security" OR sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational") host="progressive*" | eval LogonIdMix = coalesce(LogonID, LogonIDSysmon) | sort -_time | transaction LogonIdMix