Hi I have to create correlation searches in Splunk ES My cron schedule will be */60**** Is it better to use a real-time schedule or a continuous schedule? Is it necessary to fill the time r...
Here is my search in question, the common field is the SessionID
index=eis_lb apm_eis_rdp
|fillnull value="-"
|search UserID!="-"
| rex field=_raw "\/Common\/apm_eis_rdp:ent-eis[:a-zA-Z0-9_.-](?'Se...
Hello,
I would like to request guidance on how to create a correlation search based on data provided by SANS Threat Intelligence from https://isc.sans.edu/block.txt
The malicious IPs f...
A question,
When we talk about correlation, is it necessarily because a query is being made in 2 or more sources?
Or is it also considered correlation when certain criteria are searched in a s...
Hello,
Help me please. I'd like to define multiple search or subsearch to merge all relevant information about alerts.
Interesting fields in search are the hosts - as managed_host field and...
Hello peeps,
Does anyone know a better accelerator command that can help to correlate data? Im trying to correlate proxy server logs and AD logs. Please see my base search;
(index=p...
I have an index A and another index B. logs in A have a correlation to logs in B. But the only common field between them is 'timestamp'. There is a field 'fa' in index A and field 'fb' in index B. t...
Hi All,
There are few risk notable events getting generated in the Incident review page as part of correlation searches being run.
How can we exclude few users (who are from SOC team) from correl...
...essage and correlate between two. I am looking for numbers 272 and 1,856 from HERE and looking for sample1 and sample2 from THERE
both HERE and THERE will have 272 common and that is the only one....
I am writing a query to correlate across two different indexes. One index has userID field. I want the query to match a field in the second index and output additional fields from the second index....