We are looking to trigger a notable event when a series of events happen in a short period of time and in a specific order. For instance, looking at our Palo Alto Wildfire then looking for C2 or other suspicious traffic within 30 seconds. This type of logic could easily be applied to other scenarios or parts of the Cyber Kill Chain, so I would like to come up with a repeatable way of alerting when a series of events happen.
We have successfully created a search using |transaction in a Search, but I'm curious if this is the most efficient way to do this. We dumped this into a correlation search, which has yet to trigger (which might be a good indicator, lol).
sourcetype=pan_threat from!=DMZ to!=DMZ category=spyware OR category=file OR category=malware action!=sinkhole |transaction dest_ip startswith="wildfire" endswith="spyware OR malware" maxevents=2 maxspan=30s
All of this data is available in Data Models (which I am guessing is the most efficient method), however I am not sure how to write it. Other posts on here that are somewhat related show using multiple |tstats commands in the same search, however this throws an error be me saying that tstats needs to be the first command (which it is, it's just followed by another).
One resource I have found helpful is Dave Veuve's presentation from .conf: http://conf.splunk.com/session/2015/conf2015_DVeuve_Splunk_SecurityCompliance_SecurityJiujitsuBuildingCorrelation.pdf
Any input is appreciated!
... View more