Search That Looks Back in Time and Checks Fields

jodros · ‎08-07-2020

I need assistance building a search that looks back in time 5 minutes to check and see if fields are present. If so I do not need it to return any results. This is correlating two different security logs

Example:

sourcetype=a field=1 field=2 field=3 is used to look back 5 minutes against

sourcetype=b field=1 field=2 field=3

If there is a match, return no results. If no match, return sourcetype=a field=1 field=2 field=3 results.

Any assistance would be appreciated.

niketn · ‎08-09-2020

@jodros please add more relevant details. Do you want to correlate based on field names or values of the fields? i.e. field1, field2 and field3 to be present in the event? Or for field1=<value1>, field2=<value2> and field3=<value3> you want to correlate when the values value1, value2 and value3 are the same for the three fields? Please add some sample cooked up data for the two events and the final expected output so that the community can assist you better!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

jodros · ‎08-10-2020

Thanks @niketn . Both sourcetypes have the same fields, (field 1, field 2, field 3). I need to know when they also have the same values. This is for a security alert. The alert should search for the three fields in sourcetype "a" then look back in time from that point back 5 minutes (-5m@m to now) for the same fields and values in sourcetype "b". If the same fields and values are found, then no alert should fire. If the same fields and values are not found, then an alert should fire with the data from sourcetype "a" (field 1, field 2, field 3).

Thanks

jodros · ‎08-10-2020

I think I have found a way to get this working with a lookup file, but I would rather not use that method.

jodros · ‎08-11-2020

I am trying something like this, but it is not working.

(sourcetype=apple action=blocked)  | append [ search sourcetype=banana | rename source as bsource destination as bdestination url as burl] | eval contained = if(bsource != source, "false", if(bdestination != destination, "false", if(burl != url, "false", "true"))) | table bsource bdestination burl | where contained = false

Any help would be appreciated.

jodros · ‎08-11-2020

I think I got this working with transactions. Let me know if this is the best way or if there is a more cpu friendly way.

(sourcetype=apple action=blocked) OR (sourcetype=banana) 
| eval Stuff=coalesce(stuffa,stuffb) 
| transaction source destination Stuff url startswith="word" endswith="anotherword" keepevicted=true maxevents=2 
| search sourcetype=banana closed_txn=0 
| table _time source destination Stuff url

Thanks

niketn · ‎08-11-2020

@jodros stats might be better way, but community would be able to assist better if you can provide some cooked up dummy data for events containing word and anotherword.

There are several examples on community for such kind of use case with stats as an alternative for transaction.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Search That Looks Back in Time and Checks Fields

fields

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk