I have a tool that has three different rules, each rule is composed of a list of unique keywords. A rule is triggered when a specific keyword is observed in the users network traffic. What I want to do is generate a list of the keywords that a user is hitting when a user has triggered rule1, rule2, and rule3.
I can generate a list of all keywords triggered by all users, but I don't want the results when a user has only triggered 1 or 2 of the rules. A user must trigger all three rules, then output a list of keywords observed.
The string that has the keyword is in the format:
keyword;username;date
I have a query that shows me a list of users that have triggered at least each rule once or more
index=tool | rex field=string "(?(?<=;)[^;]*(?=;))" | stats count AS USER by rule | where rule1>0 AND rule2>0 AND rule3>0
How can I take the output from this and then generate a list of the keywords? I tried using the above query as a subsearch but that didn't seem to work.
↧