Topic
  • 1 reply
  • Latest Post - ‏2012-11-27T18:26:09Z by SystemAdmin
SystemAdmin
SystemAdmin
184 Posts

Pinned topic search results in another search

‏2012-05-31T12:58:04Z |
Background:
Found an interesting event in our IPS that we want to investigate. The IPS is on the internet side of the firewall ( internet <-> IPS <-> FW ). The IPS signature is set to allow currently but is hitting port which should be denied on the FW.

Question:
is it possible to search for the IPS event, take the the significant data (timestamp, src IP, dst IP, etc) from the 20-30-ish eventS and automatically populate a search for the FW logs to see if it was allowed or blocked?

I can do it manually but that entails entering several IPs into the various filters and then manually correlating it.-------Posted BY Mike Calvi
Updated on 2012-11-27T18:26:09Z at 2012-11-27T18:26:09Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    184 Posts

    Re: Unfortunately no good way to

    ‏2012-11-27T18:26:09Z  
    Unfortunately no good way to automate this today. Best bet is Right Click on each IP and perform the secondary search. Moving forward you could create Building Blocks for each of the actions and search for events that matched both Building Blocks.
    Posted By scott.vanwart