I am trying to write a simple rule that correlates 2 events that would occur at the same time. For example an account that is disabled would have the following 2 events logged, 4625 and 4768. 4768 would have the type (i.e. transaction type 0x12) where 4625 woild have a failure also loogged saying "account is disabled"). I can find both of these as seperate events but how do I correlate them.
For example if I did say sourcetype="winseclogs" Eventcode=4768
I would get the info for that search and that showed Account_Name=test _time=20190101 0600. If I then did say sourcetype="winseclogs" Eventcode=4625
I would get the info for that search and that showed Account_Name=test Failure Reason="Account is disabled" _time=20190101 0600 (or even to account for slightl drift). How would I correlate these into a single search?
I tried this and it looks like it should work but not too sure sourcetype=winseclogs Eventcode=4768 [search sourcetype=winseclogs Eventcode=4625 | fields Account_Name _time]
You can create a transaction that will accomplish this with the Account_Name as your field you join on:
sourcetype="winseclogs" (Eventcode=4625 OR Eventcode=4768)
| transaction Account_Name maxspan=5s
| search Eventcode=4625 Eventcode=4768
That will join the events together if they happen within 5 seconds of each other. If they truly always occur at the same exact time then you can drop that down to 1s.