I call this "correlation workflow". There may be a more eloquent approach, but watchlists are where I make this happen. You can update a watchlist as an action for any event so:
Correlation rule 1 = Event1+Event2 = Field-x->watchlist1 Field-y->watchlist2 and then
Correlation rule 2 = watchlist1+watchlist2
For this correlation, and forgive me if I misunderstood the approach, I would suggest using "Group by: External_SessionID".
Then for the correlation logic use an AND gate with two filters:
| "Device ID #1", "Field-x"
| "Device ID #2", "Field-y"
Thanks both of you for the suggestions. I will work through them and plan to let you know how it works out.
Is there a way to specify which field populates the watchlist? In the events I am working with, both events have a field with the same name but different values. I only want to populate the watchlist with the value from one of the events, but right now it seems kind of random which one is chosen (I am assuming whichever is evaluated last). I am working with event order and sequencing to see if I can make it consistent.
Scratch that last question - I was able to get the events parsed into different fields to remove the duplication. So far it looks like rorik.koster suggestion is working for what I needed. I will be using it to populate the initial watchlist and then a second correlation rule to check the event with another device (as andy777 suggested). Thanks for your help!
I tried to the same thing with my case. But seems to be different.
With the events retrieved from an Ironport (email) I try to get the events for a specific Filename.For this event I get only the MID.
I need also the Sender and Recipient information, which can be corelated with the MID, but they are on different events of the Ironport.
Can anyone help me on the methodology?
aygitci, I have actually had to go back to the drawing board on this. When I configured the rule to populate the watchlist with the field in the correlated event I needed, it was only adding that event to the correlation match about 20% of the time. My watchlist was not being consistently populated and I have yet to explain why that is the case.
I would be interested to hear if you find a solution to this, and plan to post back if I find anything.