Security

correlate two sources when event from source A happens in between 2 events on source B VPN session

bcusick
Communicator

Hi,

I am trying to see when an event happens on source=A in between 2 events on source=VPN.
My VPN source provides two different events for "login" and "logout".

I want to link the two sources by usernames, but source=A has them listed differently as "app_user". I currently use a lookup table to return the type of username I want "ad_id". My VPN source has the user listed as 'citrix_user'.

source=A has fields called 'app_user' and a few other non-important sources.

source=VPN has fields called _time, citrix_user, and action. Action is either 'LOGIN' or 'LOGOUT'.

This is what I have but it is not mapping the citrix_user correctly. The status should return "ok" if there is a match.

source="A" | lookup lookuptable.csv app_user | join ad_id [search source=VPN | fields + citrix_user, _time, action] | eval status = if((ad_id=citrix_user), "alert", "ok") | table _time, trader_login, ad_id, citrix_user, action, status
Tags (3)
0 Karma
1 Solution

chris
Motivator

I recommend that you have a look at how the Splunk CIM can be used to normalize your field names. The coalesce function for the eval command used below will make sure that you have a "user" field in both your sources.

You might be able to correlate your events using the transaction command:

source="A" OR source=VPN | lookup lookuptable.csv app_user | eval user=coalesce(ad_id,citrix_user) | transaction user | where eventcount > 2 |where mvcount(source)>1 | table _time, trader_login, ad_id, citrix_user, action

The transaction command will group the events that belong to one event. It has options to define the limits of the events that belong together such as maxspan or startswith. You could use the startswith parameter with a string that identifies your vpn login. By searching for transactions with an eventcount > 2 and that consist of events from mor than one source you should get results with a login event, a "source A" event and a logout event (this might need fine tuning though).

Just another thing I've noticed, is that you search for sources in your search. Usually it is best to use sourcetypes. But you might have a reason for doing it this way.

View solution in original post

chris
Motivator

I recommend that you have a look at how the Splunk CIM can be used to normalize your field names. The coalesce function for the eval command used below will make sure that you have a "user" field in both your sources.

You might be able to correlate your events using the transaction command:

source="A" OR source=VPN | lookup lookuptable.csv app_user | eval user=coalesce(ad_id,citrix_user) | transaction user | where eventcount > 2 |where mvcount(source)>1 | table _time, trader_login, ad_id, citrix_user, action

The transaction command will group the events that belong to one event. It has options to define the limits of the events that belong together such as maxspan or startswith. You could use the startswith parameter with a string that identifies your vpn login. By searching for transactions with an eventcount > 2 and that consist of events from mor than one source you should get results with a login event, a "source A" event and a logout event (this might need fine tuning though).

Just another thing I've noticed, is that you search for sources in your search. Usually it is best to use sourcetypes. But you might have a reason for doing it this way.

bcusick
Communicator

I meant to answer this earlier..but this worked like a charm. Thank you! And yes, my search was specific to certain sources.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...