topic Re: Splunk search with multiple macros in Splunk Search

Splunk search with multiple macros

SIEMStudent — Thu, 18 Nov 2021 08:36:47 GMT

Hi all,

I have a question about macros: suppose I must use, inside a search, multiple macros. Those macros can be related between them by simple logical condition like AND and OR; what is the right syntax to tell to search to use more than one macro? Is the append command or other?

UPDATE

Let me modify the post, after @ITWhisperer explaination.

The current desiderd behavior is to perform security check with rules that uses multiple macros. We don't know if it is the best way and/or absolutely required by customer, but at writing time is our guideline.

We have the following situation:

1. Two or more macros linked with AND operator. Consider the following macros:

`remote to local` = | eval (All_traffic.src) as src from datamodel="Network traffic"| eval (All_traffic.dest) as dest from datamodel="Network traffic" |where ( src!=10.0.0.0/8 AND src!=172.16.0.0/12 AND src!=192.168.0.0/16) AND ( dest=10.0.0.0/8 OR dest=172.16.0.0/12 OR dest=192.168.0.0/16)

set to use Data Model instead of raw events and that evaluate if the connection is from internet to local network.

The other one is the following:

`successfull communication` = | eval(All_traffic.bytes_in/All_traffic.packets_in) as input_rate from datamodel="Network traffic" | eval(All_traffic.bytes_out/All_traffic.packets_out) as output_rate from datamodel="Network traffic" | where input_rate > 80 and output_rate > 80

which try to understand if the communication between source and dest works fine counting the bytes/packets rate.

What about if, in my rules, I have to use them linked with AND and used as filter? I mean, the final rule structure is something like that:

<my search>....| where `remote to local` AND `successfull communication`

2. The Macros should be putted togheter with OR. This becaus the rule try multiple way to understand if something is happening or not.

Consider this macros:

that try to check if a IRC server is in execution checking some network data, like firewall pass, tcp protocol, destination port present in IRCPorts.csv file and excluding some authorized server putted in WhitelistIP.csv.

Then, we must make a macros that try to find if an IRC client is in execution; currently we don't know how to realize this, so let me put here simply its name:

`IRC Client Detected`

So, the final search whant use this 2 macros as filter and trigger if one of them is true; something like:

<some search>...| where `IRC Check with Firewalls` OR `IRC Client Detected`

3. Any combination between AND and OR. Using the above macros, something like:

<some search>...| where `remote to local` AND (`IRC Check with Firewalls` OR `IRC Client Detected`)

Re: Splunk search with multiple macros

ITWhisperer — Wed, 17 Nov 2021 14:24:40 GMT

Macros are just a way of shortening the SPL code - you can use <ctrl><shift>E in the search box to expand the macros - the expanded macros have to still form valid SPL. This is a long way of saying, it depends on your macros and what they do!

Re: Splunk search with multiple macros

SIEMStudent — Wed, 17 Nov 2021 15:25:43 GMT

You are right, my fault, I apologize.

The macro I have to create are used by Security Use Cases and so are used to determine if the rule must trigger or not. Normally, I have 2 possibility:

1. The macro can call, inside it, another macro

As example, suppose I have this 2 macros:

a. `communication request` which notify if a communication request has been done; if yes, it calls:
b. `communication successfull` that state if the communication has worked fine.

In this case, should I use a syntax like `communication request` append `communication successfull`?

2. The Macro does not call another macro inside it, but the rule need multiple one to decide if activate or not.

As example, suppose I have to detect if a IRC local Server is founded and for this I have 3 macros:

a. `remote to local`, used to determine if the connection has remote src and local dest address
b. `firewall pass`, used to determine if on this connection I have a firewall pass
c. `application used`, which determine the application used to connect to IRC server

In this case, the 3 macros must be divided with pipe? Something like:
|`remote to local` |`firewall pass` |`application used`

Re: Splunk search with multiple macros

ITWhisperer — Wed, 17 Nov 2021 16:38:33 GMT

It depends on what the macros expand to - you haven't provided this information so it is not possible to say how the macros should be used.

Re: Splunk search with multiple macros

SIEMStudent — Thu, 18 Nov 2021 08:13:15 GMT

I understand. So let me update my starting post to better explain the scenario, with same sample macros.

Re: Splunk search with multiple macros

ITWhisperer — Thu, 18 Nov 2021 09:06:08 GMT

The macros don't look like they would expand to valid syntax to be used in a where clause as you described. Perhaps you should try constructing the search query without macros first to get the results you require, then work out which bits can be converted to macros.

Re: Splunk search with multiple macros

SIEMStudent — Thu, 18 Nov 2021 09:19:16 GMT

Thanks, it is exactely what I was afraid of.