I'm putting together a search which needs to cross correlate two data sources as well as run a nested search in order to get results I want (username, client IP, top 5 visited sites).
The search for my destination hosts is working well but I'm not sure how to add the second search based on the criteria that the c_ip column matches the sourceNetworkAddress.
search [search source="windows_snare_foreweb" cs_network="Internal" action="Allowed" | regex UrlDestHost != "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" | top c_ip limit=25 | table c_ip ] | regex UrlDestHost != "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" | top UrlDestHost by c_ip limit=5 | stats list(UrlDestHost) list(count) by c_ip | sort list(count) desc
evtid=4624 | stats values(evtuser) by sourceNetworkAddress
I'm thinking I need an append and field alias but I'm not quite sure how to implement it.
... View more