Is it possible to build an event search (not rule), that aggregates events from two different sources, correlating on a custom user field built from regex.
What I am trying to do is get events from two different event sources where they have the same username field (custom created to normalise the username from different fields within each event source) and simply aggregate these.
The idea being that for a user I want to see all related events that meet some criteria in each event source, Id imagine when actually showing the relevant fields for some rows there will be empty values for where that particular field exists in one event type it does not exist in the other.
Sample:
events:
// --- AWS LOGIC ---
// Add hashi.target.user.user_display_name = “someuser@mail.com”
$aws.metadata.vendor_name = "amazon"
$aws.metadata.product_event_type = /AssumeRole(WithWebIdentity|WithSAML)?/
// --- HASHICORP LOGIC ---
// Add hashi.target.user.user_display_name = “okta-someuser”
$hashi.metadata.log_type = "HASHICORP"
$hashi.target.user.user_display_name = /^(okta|ldap)-.*/
$hashi.target.url = /.*(secret|kv)\/.*/
// --- SHARED BINDING ---
// This connects both event types to the same match variable
$username = re.capture($aws.principal.user.user_display_name, "([^@]+)@mail.com")
$username = re.capture($hashi.target.user.user_display_name, "^(?:okta-|ldap-)(.*)")
match:
$username over 1h
condition:
$aws or $hashi
