Re: Correlation Search - results not displaying co...

shiftey · ‎05-31-2015

Ive been spending a long time trying to get 1 correlation search working. The search is to find non standard hostnames that have been assigned a dhcp address, this would cover a scenario where a rogue laptop is plugged into the network.

The search I am using is:

Prefix1*, Prefix2* etc are known hostnames that follow a naming convention.

Some VOIP phone devices that use dhcp have a hostname that is the same as their mac address which is why there is 'where dest!=dest_mac

In the notable search itself I have:

Notable event title:
Suspicious Host Discovered - $dest$ at $time$ on $date$

Notable event description:
The system $dest$ has been assigned an IP Address

Start time is: -3d (so I get some initial result, this will change to -5 when proven working)
End time is: now
cron: set to run every 5 mins

The goal is to search the last 5 mins of dhcp logs every 5 mins using the search above so that an unknown host that uses dhcp can quickly be discovered.

However in the Incident Review dashboard the title is displayed as:
Suspicious Host Discovered - unknown at unknown on unknown

It doesnt appear to read the field results correctly.

I've run this search manually in a standard search and I have 3-4 results when searching over the last 3 days.

Also, what happens if the correlation search finds multiple hostnames that fit the criterea of the search, does it create seperate notable events?

Thanks

woodcock · ‎05-31-2015

Perhaps the reason it is not working is because you left out the last 2 | search strings but you should not split your base search logic that way anyway; it wastes CPU and memory; try this:

description=assign dest!=Prefix1* dest!=Prefix2* dest!=Prefix3* dest!=Prefix4* dest_ip!="10.50.x.1/20 dest_ip!=10.51.x.1/21" dest_ip!="10.49.x.1/27" | rex mode=sed field=dest "s/.company.domain.com//g" | where dest!=dest_mac

shiftey · ‎06-01-2015

Have spent a lot of time on this today and still getting no where, frustrating!
Using standard splunk search I can use:

description=assign | where NOT cidrmatch("10.50.96.1/20",dest_ip) | where NOT cidrmatch("10.50.80.1/21",dest_ip) | where NOT cidrmatch("10.49.16.1/27",dest_ip) | rex mode=sed field=dest 
"s/.company.domain.com//g" | where NOT like(dest, "Prefix1%") AND NOT like(dest, "Prefix2%") AND NOT like(dest, "Prefix3%") AND NOT like(dest, "Prefix4%") AND dest!=dest_mac

I get the desired results where I see hostnames with prefix's not specified in the search. Maybe 4 or 5 hostnames (dest field).

Ive turned the same syntax into a correlation search (check parsing using guided mode too - but leave the search as manual) and create a notable event, with the title
"Suspicious Host Discovered - $dest$ at $time$ on $date$"
I instead see:
"Suspicious Host Discovered - unknown at unknown on unknown"

There are also multiple events created (10s or 100s). If a normal search has 4 results, why does the incident dashboard not show 4 notable events from the correlation search which uses the same syntax? Doesnt seem very intuitive.
Tomorrows another day.

shiftey · ‎05-31-2015

Have used this for CIDR, is now working:

where NOT cidrmatch("10.49.16.1/27",dest_ip)

shiftey · ‎05-31-2015

1 more question -

search results are being matched by case..
By using

NOT like(dest, "PREFIX1%")

I will still have results that are "Prefix1" or "prefix1" - how can I make the search case insensitive?

shiftey · ‎05-31-2015

sourcetype=DhcpSrvLog description=assign | rex mode=sed field=dest "s/.company.domain.com//g" | where NOT like(dest, "Prefix1%") AND NOT like(dest, "Prefix2%") AND NOT like(dest, "Prefix3%") AND NOT like(dest, "Prefix4%") AND NOT like(dest_ip, "10.50.96.1/20") AND NOT like(dest_ip, "10.51.80.1/21") AND NOT like(dest_ip, "10.49.16.1/27") AND dest!=dest_mac

Running this search now. The Prefix filtering is working, however the NOT like(dest_ip, "10.51.80.1./21) IP range filtering is not working. The results include those IP ranges

woodcock · ‎05-31-2015

You cannot specify IP ranges/subnets like that; you need to specify it more literally using SQL like syntax.

shiftey · ‎05-31-2015

The second command is having some results, although the dest_ip! filtering is not working, am working on that..

woodcock · ‎05-31-2015

Just convert that part to NOT LIKE, too.

shiftey · ‎05-31-2015

Thanks Woodcock,

I did try that syntax initially, however it does not parse correctly (used guided mode to confirm).

Splunk ES does not like the wildcard * I believe.

woodcock · ‎05-31-2015

Then do this:

description=assign dest_ip!="10.50.x.1/20 dest_ip!=10.51.x.1/21" dest_ip!="10.49.x.1/27" | regex dest!="^(?:Prefix1|Prefix2|Prefix3|Prefix4)*" | rex mode=sed field=dest "s/.company.domain.com//g" | where dest!=dest_mac

And if it still won't take the wildcard, try this:

description=assign dest_ip!="10.50.x.1/20 dest_ip!=10.51.x.1/21" dest_ip!="10.49.x.1/27" | rex mode=sed field=dest "s/.company.domain.com//g" | where NOT like(dest, "Prefix1%") AND NOT like(dest, "Prefix2%") AND NOT like(dest, "Prefix3%") AND NOT like(dest, "Prefix4%") AND dest!=dest_mac

Correlation Search - results not displaying correctly

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...