Security

Correlate between source-types (IDS + OSINT sources)

aswanda
Engager

I am trying to correlate the field src_IP between all my IDS alerts (sourcetype=estreamer) and OSINT data I am pulling from a custom script. The OSINT script scrapes websites for known bad attacker IP addresses and I would like to know if any of the src_IP's from my IDS alerts match any of the src_IP's from the OSINT data.

I was looking at subsearches, which seems to be the best way to correlate across different data sets, but I am not having much luck with the syntax.

What I tried was something like this:
sourcetype=estreamer | sourcetype=osint | top limit 100 src_IP | table src_IP

Which I thought should compare the two src_IP fields from each sourcetype and only show the matching results.
Am I headed in the right direction? Any help would be great!

0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

No. The syntax for subsearch is more like:

sourcetype=estreamer [ sourcetype=osint | dedup src_ip | return src_ip ] | top limit 100 src_ip 

or you can reverse the two sourcetypes, and generally it's better to have the one with fewer events/values for src_ip in the subsearch.

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

No. The syntax for subsearch is more like:

sourcetype=estreamer [ sourcetype=osint | dedup src_ip | return src_ip ] | top limit 100 src_ip 

or you can reverse the two sourcetypes, and generally it's better to have the one with fewer events/values for src_ip in the subsearch.

gkanapathy
Splunk Employee
Splunk Employee

no, in that case you can rename the field, e.g.,

... [ sourcetype=osint | dedup dst_ip | return src_ip=dst_ip ] ...

or as you said, alias them permanently. But you have to make the inner field match what's in the outer search.

0 Karma

aswanda
Engager

Is there a way to correlate the same query but say src_ip from one source and dst_ip from the other?
I think your answer will work if I create field aliases, but for other types of correlations that don't have a common field - is it still possible?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...