Re: events correlation rules

trazomtg

hi,

how to correlate event with event correlation rule ? so, how can i write a correlation rule ?

Thanks a lot

gcusello

as the others already said, in Splunk, you can correlate events from the same or different data sources, even if etherogenous or different.

The rule to create a correlation search, is to identify the correlation key, in other words the fields to use to correlate the different events.

We could help you, but it's mandatory to have more details about the data flows to correlate.

as an exmple, you could correlate access logs to a windows server with an entrance badge, so if in windows the login is recognized by user and EventCode=4624 and e.g. in the entrance badge the user field is username and the action is action="access", you could create a search like the following:

(index=wineventlog EventCode=4624) OR (index=entrance_badge action="access")
| user=coalesce(user,username)
| stats 
     earliest(eval(if(index=wineventlog,_time,""))) AS wineventlog_time
     earliest(eval(if(index=entrance_badge,_time,""))) AS entrance_badge_time
     dc(index) AS index_count
     BY user
| eval 
     wineventlog_time=strftime(wineventlog_time,"%Y-%m-%d %H:%M:%S"),
     entrance_badge_time=strftime(entrance_badge_time,"%Y-%m-%d %H:%M:%S")

In this way, you can check that a user is present in the office when accessed a server.

Ciao.

Giuseppe

PickleRick

Correlation search is just a scheduled search with extra steps. So you need to know what you are looking for write a search looking for it (preferably an effective one since it's gonna be spawned often probably) and configure the rest of the settings for the correlation search (which will be different depending on whether you mean a correlation search in SE or ITSI)

livehybrid

Hi @trazomtg

In order for us to help you please could you provide more detail on what you are trying to achieve and product(s) you’re using.

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful

Marking it as the solution if it resolved your issue

Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing.

trazomtg

hi,

it's simple. I receive lot of events from different hosts. They mention that all the hosts are down. but the reason is that the router connected to these hosts is down. So i don't want to receive messages from hosts but just 1 message from the router

yuanliu

As @gcusello indicates, you will need a common/correlation field between host message and router message. It is best for you to illustrate your data, even mock data, and illustrate how you want the output to be. (You have just explained the logic between input and desired output. This is good.)

Short of your illustrations, let me assume that the common field in host message (sourcetype=host_message) is named gateway, and that in router message (sourcetype=router_message) is named side_a. Assume further that there is a field named status in both. (But statuses are independent despite a common name.)

While the above assumptions about data are reasonable, it is even more critical to have your input about your use case, i.e., desired results. Here, I imagine that you want Splunk to output all host failure messages if their common gateway is up, but if a common gateway is down, you want to suppress host failure messages, only output router failure message.

This is how you should describe your use case using data:

host:

gateway	host	sourcetype	status
10.0.0.1	host1	host_message	up
10.0.0.1	host2	host_message	down
10.0.1.1	host3	host_message	down
10.0.0.1	host4	host_message	up
10.0.1.1	host5	host_message	down
10.0.0.1	host6	host_message	down
10.0.1.1	host7	host_message	down

router:

host	side_a	sourcetype	status
router1	10.0.0.1	router_message	up
router2	10.0.1.1	router_message	down

Desired results:

gateway	host	side_a	sourcetype	status
10.0.0.1	host2		host_message	down
10.0.0.1	host6		host_message	down
	router2	10.0.1.1	router_message	down

Logic between data and desired results:

When a gateway router is down, I don't want to see host failure messages using that gateway.

This is a search to get such output from illustrated data:

sourcetype IN (host_message, router_message) status = down
| eval down_router = if(sourcetype == "router_message", host, null())
| eval router = coalesce(gateway, side_a)
| eventstats values(down_router) as down_router by router
| where isnull(down_router) or sourcetype == "router_message"
| fields - down_router router

Here is an emulation for you to play with and compare with real data.

| makeresults format=csv data="host,gateway,status
host1, 10.0.0.1, up
host2, 10.0.0.1, down
host3, 10.0.1.1, down
host4, 10.0.0.1, up
host5, 10.0.1.1, down
host6, 10.0.0.1, down
host7, 10.0.1.1, down"
| eval sourcetype = "host_message"
| append
    [ makeresults format=csv data="host, side_a, status
    router1, 10.0.0.1, up
    router2, 10.0.1.1, down"
    | eval sourcetype = "router_message"]
| search status = down
``` the above emulates
sourcetype IN (host_message, router_message) status = down
```

events correlation rules

other

Can’t make it to .conf25? Join us online!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Are you a member of the Splunk Community?