topic Re: Search That Looks Back in Time and Checks Fields in Splunk Search

Search That Looks Back in Time and Checks Fields

jodros — Fri, 07 Aug 2020 21:34:27 GMT

I need assistance building a search that looks back in time 5 minutes to check and see if fields are present. If so I do not need it to return any results. This is correlating two different security logs

Example:

sourcetype=a field=1 field=2 field=3 is used to look back 5 minutes against

sourcetype=b field=1 field=2 field=3

If there is a match, return no results. If no match, return sourcetype=a field=1 field=2 field=3 results.

Any assistance would be appreciated.

Re: Search That Looks Back in Time and Checks Fields

niketn — Sun, 09 Aug 2020 07:11:51 GMT

@jodros please add more relevant details. Do you want to correlate based on field names or values of the fields? i.e. field1, field2 and field3 to be present in the event? Or for field1=<value1>, field2=<value2> and field3=<value3> you want to correlate when the values value1, value2 and value3 are the same for the three fields? Please add some sample cooked up data for the two events and the final expected output so that the community can assist you better!

Re: Search That Looks Back in Time and Checks Fields

jodros — Mon, 10 Aug 2020 13:36:03 GMT

Thanks @niketn . Both sourcetypes have the same fields, (field 1, field 2, field 3). I need to know when they also have the same values. This is for a security alert. The alert should search for the three fields in sourcetype "a" then look back in time from that point back 5 minutes (-5m@m to now) for the same fields and values in sourcetype "b". If the same fields and values are found, then no alert should fire. If the same fields and values are not found, then an alert should fire with the data from sourcetype "a" (field 1, field 2, field 3).

Thanks

Re: Search That Looks Back in Time and Checks Fields

jodros — Mon, 10 Aug 2020 13:37:40 GMT

I think I have found a way to get this working with a lookup file, but I would rather not use that method.

Re: Search That Looks Back in Time and Checks Fields

jodros — Tue, 11 Aug 2020 15:56:16 GMT

I am trying something like this, but it is not working.

(sourcetype=apple action=blocked) | append [ search sourcetype=banana | rename source as bsource destination as bdestination url as burl] | eval contained = if(bsource != source, "false", if(bdestination != destination, "false", if(burl != url, "false", "true"))) | table bsource bdestination burl | where contained = false

Any help would be appreciated.

Re: Search That Looks Back in Time and Checks Fields

jodros — Tue, 11 Aug 2020 20:54:17 GMT

I think I got this working with transactions. Let me know if this is the best way or if there is a more cpu friendly way.

(sourcetype=apple action=blocked) OR (sourcetype=banana) | eval Stuff=coalesce(stuffa,stuffb) | transaction source destination Stuff url startswith="word" endswith="anotherword" keepevicted=true maxevents=2 | search sourcetype=banana closed_txn=0 | table _time source destination Stuff url

Thanks

Re: Search That Looks Back in Time and Checks Fields

niketn — Wed, 12 Aug 2020 03:38:19 GMT

@jodros stats might be better way, but community would be able to assist better if you can provide some cooked up dummy data for events containing word and anotherword.

There are several examples on community for such kind of use case with stats as an alternative for transaction.