Correlating/Matching data from 2 sources with diferent field types

This is the scenario and I am using elastic 7.17;

•Data source 1: VPN Network traffic data ingested with the usual fields (event.outcome: "success" and event.action: "login” etc (JSON)
•Data source 2: Logs from door Badge access control entry systems: (badge.request: “granted” and “user one”)

I want to create a security rule to match event from data source 1 and data source 2 and get an alert when all events occurs within 15 minutes.

For instance, VPN network traffic event (event.outcome: "success" and event.action: "login" ),
matches /correlate
Logs from door Badge access control entry systems (badge.request: “granted” and “user one”)

That said, is it possible to query and create a security alert rule with data from those 2 different sources/fields and how?

Which type of security alert rule is the best option to create this type of rule when all events occur within 15 minutes?

When I do a normal discovery query to try and match VPN traffic with door badge, I get nothing.
However, I do get some result when I create the below security rule using “Event Correlation rule” but I am not sure it’s accurate.

Sequence with maxspan=15m

[ any where event.outcome: "success" and event.action: "login]
[ any where badge.request: “granted” and “user one” ]

Appreciate your help in advance.

HI @erni23, welcome!

If you want to be alerted whenever a sequence of events occurs in a certain order, within a certain time frame, then you're correct that the Event Correlation Rule is the right tool for you.

Leveraging the EQL language, these rules allow you to construct a query describing the desired event sequence. When a sequence is found, a single summary alert will be generated, along with a building block alert for each event in the sequence.

That being said, a few notes on your query:

sequence with maxspan=15m
 [ any where event.outcome: "success" and event.action: "login]
 [ any where badge.request: “granted” and “user one” ]
  1. There doesn't appear to be any "correlation" happening here; how do you know that the login event is related to the badge request? Typically, the by keyword is used to ensure that the sequence of events all comes from the same IP/host/user, e.g. sequence by host.ip with maxpan=15m
  2. Replacing your anys above with a more specific event category field will give the query better performance, as it will not have to search as many documents. For example:
sequence with maxspan=15m
 [ authentication where event.outcome: "success" and event.action: "login]
 [ authentication where badge.request: “granted” and “user one” ]

would effectively add a filter of event.category: "authentication" to your query.

So: it looks like you've found the proper solution, and there are a few additional optimizations you can/may make. Please let us know if you have more questions!

Hi Ryland, thanks for the information. However,

  1. This does not have to be a correlation event. I just want to be alerted when any of those events occur.

  2. I tried creating the rule with "Authentication ( ```
    [ authentication where event.outcome: "success" and event.action: "login]

3) The fields that I have provided is just a place holder, it does not have to be authentication event. It could be hostname, ip, id etc

4) Finally, there is no relationship between those 2 sources.  The badge logs is ingested via webhook. 

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.