topic Re: Multisearching in Splunk Enterprise Security

Multisearching

celdridge1988 — Tue, 07 Jan 2020 09:52:02 GMT

Hi All,
First post on here. Hopefully this makes sense and isn't overly convoluted.

So, I have a datamodel correlation search in Enterprise Security that looks for accounts being deleted:

| from datamodel:"Change_Analysis"."Account_Management" | where 'tag'="delete" | search NOT "changed: /usr*" | stats max(_time) as "lastTime",latest(_raw) as "orig_raw",values(result) as "signature",values(src) as "src",values(dest) as "dest",count by "src_user","user" | where 'count'>0

This is great, however I have an access management team and I don't want their accounts to trigger a notable event. I understand that I can put exceptions in for each member of the team, but there would be an admin overhead to keep this up to date.
I have a ldapsearchthat extracts the surnames of the team members from active directory:

| ldapsearch search="(&(objectClass=group) (cn=*))" attrs="member,sAMAccountName" basedn="CN=<GroupName>,OU=<OU>,DC=<DC>" 
| rex field=member "CN=([^,\d]*)* (?<Surnames>[^,\d]*)" 
| table Surnames 
| mvexpand Surnames

Is there a way to combine these searches and get the correlation search to look at the list of surnames and not trigger if a match is found? They won't be an exact match but the surname of the user will be present in the account name used to admin my DC.

Thanks all!!

Re: Multisearching

gfreitas — Tue, 07 Jan 2020 11:33:21 GMT

Hi I would suggest you write the results from your ldapsearch to a lookup, let's say access_mgmt_team.csv.
Then I would change the correlation search to not search for those users using the format command. Example below of a subsearch

| from datamodel:"Change_Analysis"."Account_Management" 
| where 'tag'="delete" 
| search NOT "changed: /usr*"  [|inputlookup access_mgmt_team.csv | format "(" "NOT (" "AND" ")" "OR" ")"]
| stats max(_time) as "lastTime",latest(_raw) as "orig_raw",values(result) as "signature",values(src) as "src",values(dest) as "dest",count by "src_user","user" 
| where 'count'>0

Hope this helps

Re: Multisearching

celdridge1988 — Wed, 08 Jan 2020 12:03:33 GMT

Hi, Thank you for such a quick response.
I've created the lookup however it's not removing the entries for the team. Could it be because i'm only extracting their surnames from the lookup which isn't exactly the user account name? For instance, using the name 'John Smith' as an example to this situation. The LDAP search would take 'Smith' and list it in the .csv. The account name format he would have is 'dd_smithl' so I want to compare the csv, get it to see smith is there and detect smith in the account name.
Sorry, Getting quite complex now.

Re: Multisearching

gfreitas — Wed, 08 Jan 2020 14:34:26 GMT

Hi, I would suggest you get a wildcard before and after the surnames that way the lookup entry would look like smith. To do that you can edit the ldapsearch query and add the following in the end: | eval Surname= "*" + Surname + "*". That should add the wildcards on the lookup you're using to whitelist.
Hopefully that helps