Correlating two log source in elastic security

I struggle on correlating log from two source in my case. So basically, I want make correlation even with sequence or not, in firewall and endpoint security data source. But some reference I've read are not solved my problem. Am I need to normalize the fields with same field to able do this correlation or any other suggestion?

Hey Kliwon,

"Normalizing the fields with the same field name is indeed a helpful approach to simplify the correlation process. By ensuring consistency in both data sources, it becomes easier to match and compare the logs effectively.

In cases where the field names differ between the two sources, you can utilize the Kibana Index Pattern's 'Field Alias' feature to map different field names to a common name.

Additionally, consider employing a 'Common Identifier' if both data sources possess unique identifiers, such as 'User ID' or 'IP address.' These identifiers can be used to correlate events across the sources.

Lastly, leveraging the 'Timestamps' can be valuable if both data sources provide accurate timestamps. Timestamps aid in understanding the chronological sequence of events, facilitating the correlation process."

Please let us know if you have more questions :slight_smile:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.