Inputlookup Not matching Data

swright_rl — Fri, 17 May 2019 15:07:24 GMT

Hi,

I'm trying to make a whitelist for encoded commands which IT Support use and I'm having a problem getting an inputlookup to match against a particular entry in the csv.

The query which I'm using is

(index=wineventlog sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR tag=process) process=*powershell* (CommandLine="*-EncodedCommand*" OR CommandLine="*-enc*") 
| search NOT 
    [| inputlookup CommandLine_whitelist.csv ] 
| stats count min(_time) as firstTime max(_time) as lastTime by dest, user, process, CommandLine

And I'm trying to exclude this CommandLine (this is exactly how it appears in the logs):

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noninteractive -noprofile -encodedCommand RwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFUAbgBpAG4AcwB0AGEAbABsAFwAKgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4ARABpAHMAcABsAGEAeQBOAGEAbQBlAC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAIAAtAGEAbgBkACAAJABfAC4AUABTAEMAaABpAGwAZABOAGEAbQBlAC4AbABlAG4AZwB0AGgAIAAtAGwAdAAgADMAOQAgAC0AYQBuAGQAIAAkAF8ALgBVAG4AaQBuAHMAdABhAGwAbABTAHQAcgBpAG4AZwAgAC0AbABpAGsAZQAgACIAKgBtAHMAaQBlAHgAZQBjACoAIgB9ACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIABEAGkAcwBwAGwAYQB5AE4AYQBtAGUALAAgAFAAUwBDAGgAaQBsAGQATgBhAG0AZQAsACAARABpAHMAcABsAGEAeQBWAGUAcgBzAGkAbwBuACwAIABJAG4AcwB0AGEAbABsAEQAYQB0AGUAIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAEAAewBOAGEAbQBlAD0AJwBBAHAAcAAgAE4AYQBtAGUAJwA7AEUAeAA9AHsAJABfAC4ARABpAHMAcABsAGEAeQBOAGEAbQBlAH0AfQAsAGAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAQAB7AE4AYQBtAGUAPQAYIFAAcgBvAGQAdQBjAHQAIABDAG8AZABlABggOwBFAHgAcAByAGUAcwBzAGkAbwBuAD0AewAkAF8ALgBQAFMAQwBoAGkAbABkAE4AYQBtAGUAfQB9ACwAYAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABAAHsATgBhAG0AZQA9ABggVgBlAHIAcwBpAG8AbgAZIDsARQB4AHAAcgBlAHMAcwBpAG8AbgA9AHsAJABfAC4ARABpAHMAcABsAGEAeQBWAGUAcgBzAGkAbwBuAH0AfQAsAGAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAQAB7AE4AYQBtAGUAPQAYIEkAbgBzAHQAYQBsAGwAZQBkACAATwBuABkgOwBFAHgAcAByAGUAcwBzAGkAbwBuAD0AewAkAF8ALgBJAG4AcwB0AGEAbABsAEQAYQB0AGUAfQB9ACAAfAAgAFMAbwByAHQAIAAnAEEAcABwACAATgBhAG0AZQAnAA== -inputFormat xml -outputFormat xml

We have other / longer commands which work without a problem, but for the life of me, I cannot get this to work. I'm guessing it has something to do with something in the encoded string which is breaking matching on it, but I don't know what it is, or how to fix it.

Any help would be greatly appreciated.

Thanks,

Steve

Re: Inputlookup Not matching Data

starcher — Fri, 17 May 2019 15:55:30 GMT

Doing windows logs with lots of escaping is a pain. consider doing an md5 hash of the. command string and don't inputlookup. Use a lookup as a lookup. Just make sure you lookup is of the hash values.

(index=wineventlog sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR tag=process) process=*powershell* (CommandLine="*-EncodedCommand*" OR CommandLine="*-enc*") 
| eval command_hash=md5(CommandLine) 
| lookup CommandLine_whitelist command_hash OUTPUTNEW command_hash  AS isFound 
| where isnull(command_hash)

Re: Inputlookup Not matching Data

swright_rl — Mon, 20 May 2019 09:37:28 GMT

This works great thanks.

topic Re: Inputlookup Not matching Data in Splunk Enterprise Security

Inputlookup Not matching Data

Re: Inputlookup Not matching Data

Re: Inputlookup Not matching Data