Dear Sirs,
in symantec dlp we have different policies consider it as (1,2,3,...etc) and when i user violate any policy we will receive logs showing that,
another case is when a user violate 2 policies at the same time (like 1 and 2 together) still the dlp showing each event as a seperate one.
my question is, how can i write a search in splunk that will show me if two policies violated at the same time by the same user.
for example, sending external e-mail is a policy and sending confidential documents is a policy, so in case someone send external email with confidential documents in it this is violation for 2 policies in same time, and thats what i'm looking for.
regards
The easiest (yet not most elegant) way would be using the transaction
command. Depending on the amount of events to search, this command may pr pretty "expensive" to run - so keep this in mind if you experience performance issues.
Assuming you have the username as field user
, and the violation events are within less than 5 seconds, your search could be something like this:
<base search that returns violations events> | transaction user maxpause=5s | where linecount > 1
This will group the violation events together and only keep those where more than 1 violation occurred within 5s.
Hope this helps!
The easiest (yet not most elegant) way would be using the transaction
command. Depending on the amount of events to search, this command may pr pretty "expensive" to run - so keep this in mind if you experience performance issues.
Assuming you have the username as field user
, and the violation events are within less than 5 seconds, your search could be something like this:
<base search that returns violations events> | transaction user maxpause=5s | where linecount > 1
This will group the violation events together and only keep those where more than 1 violation occurred within 5s.
Hope this helps!