I am trying to correlate the field src_IP between all my IDS alerts (sourcetype=estreamer) and OSINT data I am pulling from a custom script. The OSINT script scrapes websites for known bad attacker IP addresses and I would like to know if any of the src_IP's from my IDS alerts match any of the src_IP's from the OSINT data.
I was looking at subsearches, which seems to be the best way to correlate across different data sets, but I am not having much luck with the syntax.
What I tried was something like this:
sourcetype=estreamer | sourcetype=osint | top limit 100 src_IP | table src_IP
Which I thought should compare the two src_IP fields from each sourcetype and only show the matching results.
Am I headed in the right direction? Any help would be great!
No. The syntax for subsearch is more like:
sourcetype=estreamer [ sourcetype=osint | dedup src_ip | return src_ip ] | top limit 100 src_ip
or you can reverse the two sourcetypes, and generally it's better to have the one with fewer events/values for src_ip in the subsearch.
No. The syntax for subsearch is more like:
sourcetype=estreamer [ sourcetype=osint | dedup src_ip | return src_ip ] | top limit 100 src_ip
or you can reverse the two sourcetypes, and generally it's better to have the one with fewer events/values for src_ip in the subsearch.
no, in that case you can rename the field, e.g.,
... [ sourcetype=osint | dedup dst_ip | return src_ip=dst_ip ] ...
or as you said, alias them permanently. But you have to make the inner field match what's in the outer search.
Is there a way to correlate the same query but say src_ip from one source and dst_ip from the other?
I think your answer will work if I create field aliases, but for other types of correlations that don't have a common field - is it still possible?