Hi all,
I have created a table that will show all FireEye events logged that contain a certain MAC address. This is the query:
eventtype=fe product="Web MPS" (src_mac="00:26:99:bd:24:60" OR dest_mac="00:26:99:bd:24:60") *
| eval sig= coalesce(signature, sig_name), _time = strftime(_time, "%D %H:%M:%S")
| table src_ip, src_mac, dest_ip, dest_mac, category, sig, _time
| rename src_ip as Source, src_mac as "Source MAC", dest_ip as Destination, dest_mac as "Destination MAC", category as "Connection Type", sig as Malware, _time as Time
The MAC address is passed in through the parameter %src_mac%. I'd like to add the user associated with %src_mac% to the end of the table. Users are not logged in the FireEye events, but they are contained in login authentication logs (eventtype = *_auth_*) as the field "user". The login event that needs to be read has to be the last event before the time that the FireEye event was recorded.
So I need to query logs where eventtype = *_auth_* AND MAC = %src_mac% from the same earliest time through the time of the FireEye event in question, take the "user" field from the most resent log, and append that onto the FireEye event. How should I go about doing this?
Thanks
... View more