(sourcetype="pan:threat" AND log_subtype="url") OR (sourcetype="pan:traffic" AND log_subtype="end") Here we perform the same search as the 'join' above and get the same results, but without using a 'join'. It's faster than a join because it reduces the number of searches required, but not much faster because it still pulls from the index. This technique is less common, but is very useful. Correlation technique 2: Stats correlation See Best correlation fields below for examples where session ID is not enough to correlate logs. All logs from a specific TCP session will have the same session_id, so it makes a decent correlation point. In this example, we search for all URL logs (which contains the FQDN), then join them with traffic logs generated at the end of a session (which contains the total bytes in and out). | stats count, sum(bytes_in), sum(bytes_out) BY dest_name sourcetype="pan:threat" log_subtype="url" ![]() In a pinch they can be used to get a view of the data, but if you're making a dashboard on a larger dataset, they can be pretty expensive. Join and Transaction commands are expensive, but conceptually familiar to most people. Correlation technique 1: Use a 'join' or 'transaction' The goal is to visualize possible data exfiltration by showing the total bytes_out for each FQDN. The URL log has a dest_name field with the FQDN and the Traffic log has a bytes_out field, so we need to correlate them to know how many bytes went out for each FQDN. In other words the last technique is the most efficient for Splunk, but the hardest for a human to read.Įach example will correlate traffic logs and url logs to determine how many bytes have been transferred between each FQDN in the time period. They are listed here in order of increasing search complexity and decreasing time cost. Correlation techniquesĮach of these techniques can be used to perform the same correlation, however, each has a different performance profile. This page includes a few common examples which you can use as a starting point to build your own correlations. In fact, Palo Alto Networks Next-generation Firewall logs often need to be correlated together, such as joining traffic logs with threat logs. ![]() ![]() A common use of Splunk is to correlate different kinds of logs together.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |