I created a search for pushing clean MD5 hashes to a CSV in order to filter out said MD5's. For non-repudiation purposes, I am attempting to send the current users name into the CSV as well.
To make it easier, the base search is below:
index=mcafee Customer=Yes AND signature!="[New*" AND ("ad.Executable_,Fingerprint"!="submit_hash_clean.csv" AND "file_name"!="submit_hash_clean.csv") $wild$
| dedup "Workstation_,Name"
| eval TIME=strftime(time,"%Y-%m-%d %H:%M")
| stats earliest(TIME) count by "Executable,Fingerprint"
| eventstats sum(count) as total_host
| where count<11
| rename "Executable_,Fingerprint" AS "File Hash", earliest(TIME) AS "First Seen", count AS Count
| table "File Hash", Count, "Set As Clean" "Username"
|eval "Set As Clean"="Clean"
| eval "Username"="$env:user_realname$"
| sort -Count
Then a search macro runs, pushing the MD5 to the CSV along with the file name (Command below). The issue I am having here is that the token $env:user_realname$ does not appear to be valid in the search macro. Username returns the literal string "$env:user_realname$" instead of the actual user name. If not in quotes, Username returns blank. I am not sure what I am missing.
| dedup "Executable_,Fingerprint"
| head 1
| table "file_name", "Executable_,Fingerprint", "Username"
| eval "Username"="$env:user_realname$"
| outputlookup append="true" submit_hash_clean.csv
... View more