I have a below Splunk query which gives me the result.
My SPL searches the " eventType IN (security.threat.detected, security.internal.threat.detected) " and provides me the result src_ip results. ...
See more...
I have a below Splunk query which gives me the result.
My SPL searches the " eventType IN (security.threat.detected, security.internal.threat.detected) " and provides me the result src_ip results.
But the same src_ip field has multiple user_id results in other eventType.
I want my SPL to search the src_ip results with other eventType and filter if the user_id="*idp*".
Example - If my src_ip=73.09.52.00, then the src_ip should search the other available eventType and filter the result if the user_id=*idp*
My Current SPL
index=appsrv_test sourcetype="OktaIM2:log" eventType IN (security.threat.detected, security.internal.threat.detected)
| rex field=debugContext.debugData.url "\S+username\=(?<idp_accountname>\S+idp-references)"
| search NOT idp_accountname IN (*idp-references*)
| regex src_ip!="47.37.\d{1,3}.\d{1,3}"
| rename actor.alternateId as user_id, target{}.displayName as user, client.device as dvc, client.userAgent.rawUserAgent as http_user_agent, client.geographicalContext.city as src_city client.geographicalContext.state as src_state client.geographicalContext.country as src_country, displayMessage as threat_description
| strcat "Outcome Reason: " outcome.reason ", Outcome Result: " outcome.result details
| stats values(src_ip) as src_ip count by _time signature threat_description eventType dvc src_city src_state src_country http_user_agent details
| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_threatinsight_threat_detected_filter`