The following search utilizes windows event security logs and produces a five column table that has the fields noted below:
Sourcetype=WinEventLog:Security EventCode=4624 Logon_Type=3 | dedup user src_ip Workstation_Name sortby _time | table _time user ComputerName Workstation_Name src_ip | sort -_time
Because windows generates a LOT of duplicate-esque events, the dedup command here is taking only the MOST RECENT event that has occurred. You should be able to see that with the "sortby _time". This search works perfectly, no issues, and you can see it generates an "IP address history table." This is a DHCP environment.
So, let's say there's an event from another sourcetype that has the following fields, where A, B, and C are some attribute of the sourcetype like URL,URI_Query, etc:
_time src_ip fieldA fieldB fieldC
or,
sourcetype=securitytool | table _time src_ip fieldA fieldB fieldC
Now, what I want to do is take the src_ip from this second search and find out who the user is from the first search.
Manually hardcoding the IP for testing purposes, it gives me the correct answer like this:
Sourcetype=WinEventLog:Security EventCode=4624 Logon_Type=3 src_ip=xxx | dedup user src_ip Workstation_Name sortby _time | table _time user ComputerName Workstation_Name src_ip | sort -_time | head 1
BUT- I am having trouble using join/append/subsearch or some other machination to make this work automagically. I tried some forms of subsearching to no avail... any of the subsearch shortcuts don't work because they are two different sourcetypes. I want the output to look like this:
_time user ComputerName Workstation_Name src_ip fieldA fieldB fieldC
Thoughts? The logic here is 1) you see an event with an IP, 2) you want to go look and see who "had" that IP last to attribute the event to an actual user.
↧
How to edit my search for time-based correlation between two different sourcetypes (IP Attribution)?
↧