Hi would like to check if this is possible:
Lets say i have an 2 alert:
alert A: check auth log for locked out in past 24 hour by ip
alert B: check netflow log for upload > 10gb in past 24 hour by ip
Is it possible for splunk to tell me x.x.x.x had trigger alert A on certain date, and trigger alert B on certain date when i query x.x.x.x?
The goal is to tie past alert that had fired to certain field, be it an IP or an account name
So i can easily check how 'suspicious' a user is based on his past triggered alert
Yes possible. I assume both the alert details are stored in an index. Then you can create a search which can look for one or more specific fields and can bring in matching alerts - you would need to widen the search window.
Hi what index would that be? i cant seem to find an index that show alert fired. the closest would be Activity > Triggered alerts but those are not searchable
index=_audit action=alert_fired
Only alerts that have a Trigger Action of "Add to Triggered Alerts" will show up here. However, there are no results from the alert displayed in this index unless you track down the search by the sid
field. However, it is still possible. Here's an overview