Security SPL • Room 2

Session Correlation

Attackers don't do one bad thing; they do a sequence of bad things. Grouping events together by a common field (like a Session ID or IP) is essential.

The `transaction` command is useful for seeing the chronological flow of events, while `stats list()` is often faster for simply summarizing them.

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

❤️❤️❤️

Question 1 of 1

If you want to group a user's VPN login, their subsequent RDP connection, and a file download into a single block of events based on their IP address, which command would you use?

A| dedup src_ip

B| transaction src_ip

C| timechart count by src_ip

D| eval src_ip=session