For example.
I make a correlation search like:
|from datamodel:"Intrusion_Detection"
|eval type=signature+src+dest+dvc
|where severity="high"
|eval status_group="threat"
|stats latest(_time) as _time,values(host) as host,values(id) as id,values(severity) as severity,values(signature) as signature,values(src) as src,values(dest) as dest,values(dvc) as dvc,values(status) as status,values(status_group) as status_group,values(owner) as owner,values(governance) as governance,values(control) as control,values(action) as action count by type
|fillnull value="unknown" src,dest,dvc,governance,control,status,owner,status_group,host,action,user
|where count>10
| table _time,host,severity,signature,src,dest,dvc,status,status_group,owner,governance,control,count,action,id
And now, I want to find the original events of this correlation search. maybe like:
2018-09-11 10:56:00,172.18.1.1,critical,SQL Injection,10.0.0.2
2018-09-11 10:56:00,172.18.1.1,critical,SQL Injection,10.0.0.2
2018-09-11 10:57:00,172.18.1.1,critical,SQL Injection,10.0.0.2
2018-09-11 11:33:00,172.18.1.1,critical,SQL Injection,10.0.0.2
2018-09-11 11:20:00,172.18.1.1,critical,SQL Injection,10.0.0.2
2018-09-11 10:43:00,172.18.1.1,critical,SQL Injection,10.0.0.2
2018-09-11 10:48:00,172.18.1.1,critical,SQL Injection,10.0.0.2
2018-09-11 10:47:00,172.18.1.1,critical,SQL Injection,10.0.0.2
2018-09-11 10:59:00,172.18.1.1,critical,SQL Injection,10.0.0.2
2018-09-11 10:50:00,172.18.1.1,critical,SQL Injection,10.0.0.2*
How can I do this?
In your drill down search you can use the source event values by referencing the field name wrapped in $ - for example, if you want to search by the src
field value from the notable event your drill down search criteria would include src=$src$
.
I believe the values that you want to reference have to be defined in the Enterprise Security Configuration: "Incident Review Settings" -> "Incident Review - Event Attributes" table, and remember if you're using a datamodel in your correlation search that you have to remove the datamodel object name from the field names in that correlation search, for example:
| rename IDS_Attacks.* as *
.. or the built in macro drop_dm_object_name:
| `drop_dm_object_name("IDS_Attacks")`