I have a search which is using transaction to create events for each transaction. I then need to filter those events to show only transaction events containing one of many IP addresses returned from a subsearch.
host=ADFS* sourcetype="WinEventLog:Security" (EventCode=4624 OR EventCode=501 OR EventCode=299 OR EventCode=410)
| fields _time, Account_Name, Security_ID, Activity_ID, Instance_ID, X_MS_Forwarded_Client_IP, EventCode
| eval Account_Name=mvindex(Account_Name, 1)
| rex field=X_MS_Forwarded_Client_IP mode=sed "s/(,\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})//"
| transaction Security_ID Activity_ID Instance_ID maxspan=10s startswith=EventCode=4624 endswith=EventCode=410
The results of which will contain the IP address in the X_MS_Forwarded_Client_IP field.
This is the subsearch I have to find my target IP addresses which I need to filter on:
[index="its-o365-audit" Status=Delivered SenderAddress="<>" FromIP!=129.100.* FromIP!=10.*
| top 100 FromIP | search count>5 | table FromIP | rename FromIP as X_MS_Forwarded_Client_IP]
Not sure how to filter from here? I can do search X_MS_Forwarded_Client_IP="1.2.3.4" but that only works if I want to hard code a single IP into my search. I want to see all transactions for all IPs returned from the subsearch.
Thanks,
Andrew
↧