Hi All, I want to create an SPL query that first returns data by matching the destination IP address from Palo Alto logs. Then, according to the destination IP, it will resolve the actual destination hostname from Symantec logs and Windows Event logs in separate fields. I was able to match the destination IP (dest_ip) from Palo Alto logs with Symantec logs and return the hostname (if available) from it. However, I am struggling to do the same by joining Windows logs to return the values, which should be equal to the hostname in Symantec logs. Can someone kindly assist me in fixing this code to retrieve the expected results? 🙂 index=*-palo threat="SMB: User Password Brute Force Attempt(40004)" src=* dest_port=445
| eval dest_ip=tostring(dest)
| join type=left dest_ip [
search index=*-sep device_ip=*
| eval dest_ip=tostring(device_ip)
| stats count by dest_ip user_name device_name
]
| eval dest_ip=tostring(dest)
| join type=left dest_ip [
search index="*wineventlog" src_ip=*
| eval dest_ip=tostring(src_ip)
| eval username=tostring(user)
| stats count by dest_ip username ComputerName
]
| table future_use3 src_ip dest_ip dest_port user device_name user_name rule threat repeat_count action ComputerName username
| sort src_ip
| rename future_use3 AS "Date/Time" src_ip AS "Source IP" dest_ip AS "Destination IP" user AS "Palo Detected User" user_name AS "Symantec Detected User @ Destination" device_name AS "Symantec Destination Node" rule AS "Firewall Rule" threat as "Threat Detected" action as "Action" repeat_count AS "Repeated Times" @eve
... View more