Hi would like to check if this is possible:
Lets say i have an 2 alert:
alert A: check auth log for locked out in past 24 hour by ip
alert B: check netflow log for upload > 10gb in past 24 hour by ip
Is it possible for splunk to tell me x.x.x.x had trigger alert A on certain date, and trigger alert B on certain date when i query x.x.x.x?
The goal is to tie past alert that had fired to certain field, be it an IP or an account name
So i can easily check how 'suspicious' a user is based on his past triggered alert
↧