I want to create correlation rule for user tracking, and I need help with to do this correlation. I created a rule however it didn’t work. I summarized the case below with screenshots.
- On this case there are 3 types of logs; first and second logs are IIS logs (IISLog01 and IISLog02), third log is a security device log (FWLog)
- What I want to do is
(IISLog01’s “source translated address” and IISLog02’s “Attacker Address” is same)
(IISLog02’s “Source User Name” and FWLog’s “Source User Name” is same)
in 1 minute I want to see these logs in an active list under one correlated log.
- I added screenshots about the that I wrote (I changed ip address and names)
- This query returns with empty result.
- I aggregated the only fields that I used in query because there are lots of field in events. I tried aggregate everything that I need but the result didn’t change.