Looking for a way to correlate events


(Jonhnathan) #1

I've tried a lot of methods, but i can't find a way to display events with specific values ACROSS logs... for example, i want something like the eval for splunk...so, i can make alerts when some circunstances occur, like an if condition...Anyone have done anything related?


(Chris Earle) #2

Hi @w0rk3r,

It sounds like you want to create an alert (aka a Watch), but I am not very familiar with Splunk. Can you give some example logs and the conditions on what would suffice it to be triggered? That should help some of us get a better idea exactly what you're asking.

Thanks,
Chris


(Jonhnathan) #3

Hey @pickypg,

I'm not using X-PACK, so not exactly a watch, neither splunk on this project... For example, an use case could be a simple detection of a known malicious tool like mimikatz...so i have the following:

I want to do a query and validate if there are these results together
Something like: module_loaded:"C:\Windows\System32\vaultcli.dll" AND module_loaded:"C:\Windows\System32\bcrypt.dll" AND module_loaded:"C:\Windows\System32\crypt32.dll" AND module_loaded:"C:\Windows\System32\wintrust.dll"

The questions:
1-) How can i do a query across these logs as a "MUST HAVE" (like on the query example) value, without use a OR (The OR will return results if there is one or one hundred of logs with one of the values)
2-) OR there is a way to do that with OR?

Thank you


(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.