Is there a way to create a single event including fields from multiple different sources?
The use case is alerting on VPN login. The messages from my USG show the remote IP, but doesn’t include the user. The messages from my DC show the user, but not the remote IP.
The two messages are typically separated by less than 5s.
I’d like to be able to get a single alert with both the IP and username. In the rare case that two users connect within a few seconds, I’d be ok with bad or no correlation between IPs and users (in my case, they’d almost certainly be from the same remote IP anyway).
I have the search working: (source:DC01 and Security_ID:*) OR (source:UnifiGateway AND "Connection established"), but I can only pull a field from one or the other.
Maybe make a stream+ rules added and dump what you want in there. Then use that stream in Event Definition this would reduce the white noise for your alerts.
The format of search query you’re using isn’t working for me. The problem isn’t in finding a search query. The problem is in providing the fields for the notification. (Or even just the full messages)
Maybe I didn’t explain the message setup well:
Msg1:
source: UnifiGateway. “Connection established to ###.###.###.###”
Extracted field: Remote_IP
Msg2:
source: DC01 (Windows event log) “Network Policy Server granted access to a user …”
Extracted field: Security_ID
When I put Remote_IP into “Group by Field(s)”, I can send Remote_IP to the notification.
When I put Security_ID in, I can send Security_ID to the notification.
When I put both in, it doesn’t trigger.
