Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What to use to a search a hash and return all info of all users that have a hit?

freeload101
Explorer
‎11-26-2019 09:57 AM
  • New to Splunk but understand regex and have a strong background in sed/awk/curl/bash
  • I want to search a hash and return all the info for all the users that have a hit
  • ProcessRollup2 contains fields aid and SHA256HashData I need linked via aid but too large for limited subsearch over 10K as we have 30K+ endpoints
  • UserIdentityV2-v02 containes fieldsaid UserPrincipal I need linked via aid but too large for limited subsearch over 10K as we have 30K+ endpoints
  • if I use a simple subsearch the result is trimmed or if too many days go by I don't get any hits

Work in Progress.
This search 'works' but does not keep the SHA256HashData from the original search. I need the hash and other fields in ProcessRollup2 too!

  event_simpleName="ProcessRollup2" SHA256HashData=87ca1167cf2350e163f17688ea0c23e493c8f2e43492b9514818724f1a77c8f0 earliest=-10d@d latest=@m 
    | dedup aid
    | stats count by aid SHA256HashData  
     |map  search="search sourcetype="UserIdentityV2-v02"  aid=$aid$ earliest=-60d@d latest=@m "
     | dedup aid UserPrincipal SHA256HashData
     | table aid UserPrincipal SHA256HashData

This is what used to work sort of as long as it's around 1-4 days because of the max limits I can't change in the Crowdstrike server

sourcetype=UserLogonV8-v02 
    [|  search sourcetype=json_predefined_timestamp  SHA256String="3239a185c653b1f2385fbb9716172e116551fc68867e36ffdb96d5d7c8eaea5b" | table AgentIdString 
| dedup AgentIdString 
|  rename AgentIdString as aid] 
| table aid UserName UserPrincipal LocalAddressIP4

| dedup UserPrincipal
| sort by aid


| join type=outer aid 
    [|  search sourcetype=json_predefined_timestamp  SHA256String="3239a185c653b1f2385fbb9716172e116551fc68867e36ffdb96d5d7c8eaea5b" | table AgentIdString DetectDescription
    | rename AgentIdString as aid]
    | table aid DetectDescription UserName UserPrincipal LocalAddressIP4
    | lookup aid_master aid OUTPUT City Country ComputerName MachineDomain 

    |  table aid DetectDescription ComputerName LocalAddressIP4 MachineDomain UserName UserPrincipal FULLNAME City Country
0 Karma
Reply

freeload101
Explorer
‎06-17-2020 01:30 PM

 

 

Found my own post 😛 use the following query to bind UserName to email like so ...


| join UserName
[search event_simpleName IN ("UserLogon*", "Login*") UserPrincipal!="svcSCOM.SvcNow@newellco.com" UserPrincipal=*.*@*.com UserPrincipal!=*.$*.com UserName!=svcSCCM.ClientPush UserName!=SYSTEM earliest=-2d@d]

 

Reference :  https://github.com/freeload101/SCRIPTS/tree/master/CrowdStrike%20Threat%20Hunting

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎11-26-2019 02:09 PM

In general, when you are looking at the same timerange, I always recommend trying to do a single search, instead of map or sub search.

Does this help, or do you still need to split by SHA256HashData and aid ?

   earliest=-10d@d latest=@m  ( event_simpleName="ProcessRollup2" SHA256HashData=87ca1167cf2350e163f17688ea0c23e493c8f2e43492b9514818724f1a77c8f0 ) OR (sourcetype="UserIdentityV2-v02" ) 
     | stats count values(UserPrincipal) values(SHA256HashData)  by aid
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...