topic Re: how to use top alongside with tstats in Splunk Search

how to use top alongside with tstats

romanpro — Fri, 13 Sep 2024 09:07:35 GMT

how can I use top command after migrating to tstats? I need the same result, but looks like it can be done only using top, so I need it

index IN (add_on_builder_index, ba_test, cim_modactions, cisco_duo, cisco_etd, cisco_multicloud_defense, cisco_secure_fw, cisco_sfw_ftd_syslog, cisco_sma, cisco_sna, cisco_xdr, duo, encore, fw_syslog, history, ioc, main, mcd, mcd_syslog, notable, notable_summary, resource_usage_test_index, risk, secure_malware_analytics, sequenced_events, summary, threat_activity, ubaroute, ueba, whois) sourcetype="cisco:sma:submissions" status IN ("*")
| rename analysis.threat_score AS ats
| where isnum(ats)
| eval ats_num=tonumber(ats)
| eval selected_ranges="*"
| eval token_score="*"
| eval within_selected_range=0
| rex field=selected_ranges "(?<start>\d+)-(?<end>\d+)"
| eval start=tonumber(start), end=tonumber(end)
| eval within_selected_range=if(
(ats_num >= start AND ats_num <= end) OR token_score="*",
1,
within_selected_range
)
| where within_selected_range=1
| rename "analysis.behaviors{}.title" as "Behavioral indicator"
| top limit=10 "Behavioral indicator"

I tried this but it doesnt return me percent

| tstats prestats=true count as Count from datamodel=Cisco_Security.Secure_Malware_Analytics_Dataset where index IN (add_on_builder_index, ba_test, cim_modactions, cisco_duo, cisco_etd, cisco_multicloud_defense, cisco_secure_fw, cisco_sfw_ftd_syslog, cisco_sma, cisco_sna, cisco_xdr, duo, encore, fw_syslog, history, ioc, main, mcd, mcd_syslog, notable, notable_summary, resource_usage_test_index, risk, secure_malware_analytics, sequenced_events, summary, threat_activity, ubaroute, ueba, whois) sourcetype="cisco:sma:submissions" Secure_Malware_Analytics_Dataset.status IN ("*") by Secure_Malware_Analytics_Dataset.analysis_behaviors_title
| chart count by Secure_Malware_Analytics_Dataset.analysis_behaviors_title
| sort - count | head 20

Re: how to use top alongside with tstats

ITWhisperer — Fri, 13 Sep 2024 10:32:43 GMT

Not sure why you are using prestats=true - try something like this

| tstats count as Count from datamodel=Cisco_Security.Secure_Malware_Analytics_Dataset where index IN (add_on_builder_index, ba_test, cim_modactions, cisco_duo, cisco_etd, cisco_multicloud_defense, cisco_secure_fw, cisco_sfw_ftd_syslog, cisco_sma, cisco_sna, cisco_xdr, duo, encore, fw_syslog, history, ioc, main, mcd, mcd_syslog, notable, notable_summary, resource_usage_test_index, risk, secure_malware_analytics, sequenced_events, summary, threat_activity, ubaroute, ueba, whois) sourcetype="cisco:sma:submissions" Secure_Malware_Analytics_Dataset.status IN ("*") by Secure_Malware_Analytics_Dataset.analysis_behaviors_title | eventstats sum(Count) as Total | eval Percent=100*Count/Total | sort - Count | head 20

Re: how to use top alongside with tstats

romanpro — Fri, 13 Sep 2024 11:02:39 GMT

good try, but it skipped the list of the titles I have in my input query, I have a correct output of counts, but without titles

Re: how to use top alongside with tstats

ITWhisperer — Fri, 13 Sep 2024 11:10:15 GMT

I don't know what this means, please can you show what you are getting and what you expected to get?

Re: how to use top alongside with tstats

romanpro — Fri, 13 Sep 2024 11:42:14 GMT

here's what I get from my previous query, and what I expect to get

Environment Convicted Not Convicted

Environment	convicted	not convicted
browser	8	12
win10	79	250
win10-x64-2-beta	0	117
win10-x64-browser	12	6
win7-x64	2	832

here's what I get from the query you provided, I hope it helps

Secure_Malware_Analytics_Dataset.analysis_behaviors_title Count Percent Total

Secure_Malware_Analytics_Dataset.analysis_behaviors_title	count	percent	total
Executable Imported the IsDebuggerPresent Symbol	835	14.421416234887737	5790
PE Contains TLS Callback Entries	690	11.917098445595855	5790
Executable with Encrypted Sections	622	10.7426597582038	5790
Executable Artifact Imports Tool Help Functions	428	7.392055267702936	5790
PE Checksum is Invalid	403	6.960276338514681	5790
Artifact With Multiple Extensions Detected	364	6.286701208981002	5790
Executable Signed With Digital Certificate	277	4.784110535405873	5790
Process Modified File in a User Directory	250	4.317789291882556	5790
Executable Signing Date Invalid	220	3.7996545768566494	5790
Possible Registry Persistence Mechanism Detected	140	2.4179620034542313	5790
PE DOS Header Initial SP Value is Abnormal	138	2.383419689119171	5790
Static Analysis Flagged Artifact As Anomalous	86	1.4853195164075994	5790
Windows Crash Tool Execution Detected	85	1.468048359240069	5790
Artifact Flagged Malicious by Antivirus Service	81	1.3989637305699483	5790
A Crash Dump File Was Created	77	1.3298791018998273	5790

Re: how to use top alongside with tstats

ITWhisperer — Fri, 13 Sep 2024 12:06:35 GMT

Is what you expected to get what you got from your non-tstats search?

Re: how to use top alongside with tstats

romanpro — Fri, 13 Sep 2024 12:16:47 GMT

correct

Re: how to use top alongside with tstats

ITWhisperer — Fri, 13 Sep 2024 15:41:00 GMT

So your conversion to tstats is not complete then? Using the data you get back from tstats is there sufficient information for you to compile the results you want (or do you need a different version of the tstats search?

Re: how to use top alongside with tstats

romanpro — Fri, 13 Sep 2024 15:42:39 GMT

this is exactly why I'm here. My tstats query isn't completed, I need this data to be shown in logs as it used to be in my usual query (non-tstats one)

Re: how to use top alongside with tstats

romanpro — Fri, 13 Sep 2024 15:44:01 GMT

I need this query to use top command, but looks like it should be rewritten first in some kind of way

Re: how to use top alongside with tstats

ITWhisperer — Fri, 13 Sep 2024 15:44:32 GMT

Without seeing your events it is difficult to determine what you need to do with the tstats to get the data you want.

Re: how to use top alongside with tstats

romanpro — Fri, 13 Sep 2024 15:45:59 GMT

I thought showing my logs is enough with that in mind I need the exact command to be there

Re: how to use top alongside with tstats

ITWhisperer — Fri, 13 Sep 2024 17:33:11 GMT

Where did you show your events?