https://community.splunk.com/t5/Splunk-Enterprise-Security/Different-Search-Results-From-Two-Macros-With-Same-Contents/m-p/583189#M10594 <P>Thanks for the reply. Sadly I'm using AWS Workspaces Linux and&nbsp;<SPAN>&lt;ctrl&gt;&lt;shift&gt;E doesn't work for some reason. Just prints the e character.</SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Tue, 01 Feb 2022 10:16:59 GMT securitypaul 2022-02-01T10:16:59Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Different-Search-Results-From-Two-Macros-With-Same-Contents/m-p/583178#M10591 <P>Hello everyone. I'm looking for some assistance with a problem where I get differing search results from what should be the same search.</P><P>Backstory</P><P>I’m testing changes to the “ESCU - Malicious PowerShell Process - Execution Policy Bypass – Rule” so that I can filter out known PowerShell events.</P><P>Using the same search head, user,&nbsp; date and time range, and what should be two identical macros, I get different search results.</P><P>&nbsp;</P><P>The original search uses this macro: “malicious_powershell_process___execution_policy_bypass_filter”</P><P>The original search is:</P><P>| tstats `security_content_summariesonly` values(Processes.process_id) as process_id, values(Processes.parent_process_id) as parent_process_id values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe (Processes.process="* -ex*" OR Processes.process="* bypass *") by Processes.process_id, Processes.user, Processes.dest<BR />| `drop_dm_object_name(Processes)`<BR />| `security_content_ctime(firstTime)`<BR />| `security_content_ctime(lastTime)`<BR />| `malicious_powershell_process___execution_policy_bypass_filter`</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Search results original macro.PNG" style="width: 711px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/17766i75CB6E59A0A01A38/image-dimensions/711x176?v=v2" width="711" height="176" role="button" title="Search results original macro.PNG" alt="Search results original macro.PNG" /></span></P><P> </P><P><BR />The test search uses this macro: “malicious_powershell_process___execution_policy_bypass_filter-test”</P><P>The test search is:</P><P>| tstats `security_content_summariesonly` values(Processes.process_id) as process_id, values(Processes.parent_process_id) as parent_process_id values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe (Processes.process="* -ex*" OR Processes.process="* bypass *") by Processes.process_id, Processes.user, Processes.dest<BR />| `drop_dm_object_name(Processes)`<BR />| `security_content_ctime(firstTime)`<BR />| `security_content_ctime(lastTime)`<BR />| `malicious_powershell_process___execution_policy_bypass_filter-test`</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Search results test macro.PNG" style="width: 705px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/17767iDBA7A27579C0961E/image-dimensions/705x164?v=v2" width="705" height="164" role="button" title="Search results test macro.PNG" alt="Search results test macro.PNG" /></span></P><P>Both macros contain the same content to exclude Splunk Universal Forwarder PowerShell scripts:</P><P>search (process!="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -executionPolicy RemoteSigned -command \". 'C:\\Program Files\\SplunkUniversalForwarder\\etc\\apps\\Splunk_TA_windows\\bin\\powershell\\nt6-health.ps1'\"" AND process!="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -executionPolicy RemoteSigned -command \". 'c:\\Program Files\\SplunkUniversalForwarder\\etc\\apps\\Splunk_TA_windows\\bin\\powershell\\nt6-repl-stat.ps1'\"" AND process!="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -executionPolicy RemoteSigned -command \". 'c:\\Program Files\\SplunkUniversalForwarder\\etc\\apps\\Splunk_TA_windows\\bin\\powershell\\nt6-siteinfo.ps1'\"" AND process!="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -executionPolicy RemoteSigned -command \". 'C:\\Program Files\\SplunkUniversalForwarder\\etc\\apps\\Splunk_TA_windows\\bin\\powershell\\dns-zoneinfo.ps1'\"" AND process!="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -executionPolicy RemoteSigned -command \". 'C:\\Program Files\\SplunkUniversalForwarder\\etc\\apps\\Splunk_TA_windows\\bin\\powershell\\dns-health.ps1'\"")</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Macros.PNG" style="width: 596px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/17768iC748F86EE675F60A/image-dimensions/596x233?v=v2" width="596" height="233" role="button" title="Macros.PNG" alt="Macros.PNG" /></span></P><P> </P><P><BR />When I run both searches I get different results and I’m unsure why. The macro appended -test works fine. When I copy its contents to the original macro, that search does not seem to use the new contents.</P><P>I made these changes last week and today get the same results.</P><P>Any ideas as to what might be causing this?</P> Tue, 01 Feb 2022 09:11:44 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Different-Search-Results-From-Two-Macros-With-Same-Contents/m-p/583178#M10591 securitypaul 2022-02-01T09:11:44Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Different-Search-Results-From-Two-Macros-With-Same-Contents/m-p/583186#M10593 <P>If you expand the macros (&lt;ctrl&gt;&lt;shift&gt;E) do they expand as you would expect?</P><P>I have noticed that sometimes "updated" macros are not always updated in a timely manner, but I haven't figured out when and why this is - usually I keep retrying the update until it works. Sorry, that that is not much help.</P> Tue, 01 Feb 2022 09:56:30 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Different-Search-Results-From-Two-Macros-With-Same-Contents/m-p/583186#M10593 ITWhisperer 2022-02-01T09:56:30Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Different-Search-Results-From-Two-Macros-With-Same-Contents/m-p/583189#M10594 <P>Thanks for the reply. Sadly I'm using AWS Workspaces Linux and&nbsp;<SPAN>&lt;ctrl&gt;&lt;shift&gt;E doesn't work for some reason. Just prints the e character.</SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Tue, 01 Feb 2022 10:16:59 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Different-Search-Results-From-Two-Macros-With-Same-Contents/m-p/583189#M10594 securitypaul 2022-02-01T10:16:59Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Different-Search-Results-From-Two-Macros-With-Same-Contents/m-p/583349#M10598 <P>Seems like it was a copy / paste oddity. I edited the macro again and copied / pasted the text back in. It works as expected now.</P><P>Perhaps there was some extra hidden characters that were causing an issue.</P><P>Thanks for the help.</P> Wed, 02 Feb 2022 09:21:40 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Different-Search-Results-From-Two-Macros-With-Same-Contents/m-p/583349#M10598 securitypaul 2022-02-02T09:21:40Z