Is there any easy way for an alert to trigger another search?
my use case is for an account lockout to trigger a search for failed login attempts for that account, so i do want to pass in some result variables. it looks like i can do this with $result.field$, but not sure if i need to write my own script for this or if there is an easier way.
Here's a rough untested idea of how to merge the two searches:
(eventtype=msad-account-lockout out) OR (eventtype="msad-failed-user-logons" EventCode=4625)
| stats values(eventtype) as et values(displayName) values(email) ... values(src) values(src_ip) ... by user
| search et=msad-account-lockout
That'll effectively join the two eventtypes together by user
, and only return users that actually had a lockout in the realtime search window.
Right now the workflow is realtime alert on this search:
Lockout Alert:
eventtype=msad-account-lockout out | lookup AD_Users_Lookup sAMAccountName as user | table _time, displayName, user, email, telephoneNumber, mobile, pwdLastSet, description, Caller_Computer_Name, dest_nt_host | rename Caller_Computer_Name as "Occurred On", mobile as "Mobile Phone", telephoneNumber as "Phone", user as "UserID", pwdLastSet as "Password Changed On", signature as "Action", description as Description, dest_nt_host as "Reported By"
The secondary search that I'm thinking about looping in is:
Why it locked out, but may come back with multiple results if they try on different PCs (src):
eventtype="msad-failed-user-logons" EventCode=4625 | table user, src, src_ip, EventCodeDescription, dest
You might be able to roll this into one alerting search.
I agree; you can almost certainly do this with a single search (which could then be split into 2 if you like). Give the details and I am sure we can construct a framework for this.