You will need to do it one step earlier, I'll need to change the correlation searches that generate the notables. Example you have a tstats correlation search, you would need to add something like values(sourcetype) as origin_sourcetype.
Example below:
Correlation Search concurrent login attempts detected (original search):
| tstats summariesonly count from datamodel=Authentication.Authentication by _time,Authentication.app,Authentication.src,Authentication.user span=1s
| drop_dm_object_name("Authentication")
| eventstats dc(src) as src_count by app,user
| search src_count>1
| sort 0 + _time
| streamstats current=t window=2 earliest(_time) as previous_time,earliest(src) as previous_src by app,user | where (src!=previous_src)
| eval time_diff=abs(_time-previous_time)
| where time_diff<300
You could add the following:
| tstats summariesonly count, values(sourcetype) as origin_sourcetype from datamodel=Authentication.Authentication by _time,Authentication.app,Authentication.src,Authentication.user span=1s
| drop_dm_object_name("Authentication")
| eventstats dc(src) as src_count by app,user, origin_sourcetype
| search src_count>1
| sort 0 + _time
| streamstats current=t window=2 earliest(_time) as previous_time,earliest(src) as previous_src by app,user , origin_sourcetype
| where (src!=previous_src)
| eval time_diff=abs(_time-previous_time)
| where time_diff<300
... View more