I'm looking for a way that I can take some logon logs and figure out the firewall logs for only when the user had the IP. Because it's a VPN pool, the IP's refresh and get reused quickly, so I'm trying to build a correlation that can positively match the activity to an endpoint.
What I have so far:
(sourcetype=WinEventLog:Security AccountName="username" | transaction TaskCategory startswith=Logon endswith="Logon/Logoff"| table _time TaskCategory Source_Network_Address
I would like to do a subsearch that is logically similar to this:
in sourcetype=fwlogs where src_ip=Source_Network_Address starts with transaction start-time-ends with transaction-end-time
Any thoughts?
This should do the trick (replace <
with "<" and >
with ">"; stupid markdown bugs):
sourcetype=WinEventLog:Security AccountName="username"
| transaction TaskCategory startswith=Logon endswith="Logon/Logoff"
| eval startTime=_time | eval endTime=_time+duration
| map search="search sourcetype=fwlogs src_ip=$Source_Network_Address$ _time>=$startTime$ _time<=$endTime$