Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Correlate between source-types (IDS + OSINT sources)

aswanda
Engager
‎03-09-2013 04:08 PM

I am trying to correlate the field src_IP between all my IDS alerts (sourcetype=estreamer) and OSINT data I am pulling from a custom script. The OSINT script scrapes websites for known bad attacker IP addresses and I would like to know if any of the src_IP's from my IDS alerts match any of the src_IP's from the OSINT data.

I was looking at subsearches, which seems to be the best way to correlate across different data sets, but I am not having much luck with the syntax.

What I tried was something like this:
sourcetype=estreamer | sourcetype=osint | top limit 100 src_IP | table src_IP

Which I thought should compare the two src_IP fields from each sourcetype and only show the matching results.
Am I headed in the right direction? Any help would be great!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-09-2013 05:35 PM

No. The syntax for subsearch is more like:

sourcetype=estreamer [ sourcetype=osint | dedup src_ip | return src_ip ] | top limit 100 src_ip

or you can reverse the two sourcetypes, and generally it's better to have the one with fewer events/values for src_ip in the subsearch.

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-09-2013 05:35 PM

No. The syntax for subsearch is more like:

sourcetype=estreamer [ sourcetype=osint | dedup src_ip | return src_ip ] | top limit 100 src_ip

or you can reverse the two sourcetypes, and generally it's better to have the one with fewer events/values for src_ip in the subsearch.

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-14-2013 08:45 AM

no, in that case you can rename the field, e.g., 

... [ sourcetype=osint | dedup dst_ip | return src_ip=dst_ip ] ...

or as you said, alias them permanently. But you have to make the inner field match what's in the outer search.

0 Karma
Reply
Solved! Jump to solution

aswanda
Engager
‎03-13-2013 09:42 PM

Is there a way to correlate the same query but say src_ip from one source and dst_ip from the other?
I think your answer will work if I create field aliases, but for other types of correlations that don't have a common field - is it still possible?

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...