I am trying to write a simple rule that correlates 2 events that would occur at the same time. For example an account that is disabled would have the following 2 events logged, 4625 and 4768. 4768 would have the type (i.e. transaction type 0x12) where 4625 woild have a failure also loogged saying "account is disabled"). I can find both of these as seperate events but how do I correlate them.
For example if I did say 'sourcetype="winseclogs" Eventcode=4768' I would get the info for that search and that showed Account_Name=test _time=20190101 0600. If I then did say 'sourcetype="winseclogs" Eventcode=4625' I would get the info for that search and that showed Account_Name=test Failure Reason="Account is disabled" _time=20190101 0600 (or even to account for slightl drift). How would I correlate these into a single search?
I tried this and it looks like it should work but not too sure 'sourcetype=winseclogs Eventcode=4768 [search sourcetype=winseclogs Eventcode=4625 | fields Account_Name _time]'
↧