topic Re: Compound Search with two sourcetypes in Splunk Search

Compound Search with two sourcetypes

hartfoml — Mon, 28 Sep 2020 13:44:35 GMT

I want to search for an IDS event like this

sourcetype=IDS "MALWARE-CNC"

Then I want to use the src_IP and dst_IP to search the proxy logs to see if the proxy blocked the traffic. Something Like this I would think

sourcetype=IDS "MALWARE-CNC" | fields src_ip dst_ip [ search sourcetype=proxy src_ip dst_ip action!=DENIED]

Re: Compound Search with two sourcetypes

jonuwz — Tue, 16 Apr 2013 20:05:27 GMT

nearly : )

sourcetype=proxy action!=DENIED [ search sourcetype=IDS "MALWARE-CNC" | fields src dst | dedup src dst | rename src as src_ip dst as dst_ip ]

Edit missed out "search" in the sub search

Re: Compound Search with two sourcetypes

hartfoml — Tue, 16 Apr 2013 20:21:05 GMT

So why do I put the proxy search first? there are lots of "Not DENIED" logs to look through and I am only looking for one. Why not find the IP in IDS and pass to the proxy search?

Re: Compound Search with two sourcetypes

theouhuios — Tue, 16 Apr 2013 20:24:52 GMT

If you are looking for just one, then why use "NOT DENIED"? Instead you can use that same value to search on. Try to create your searches in as positive as possible manner. It will help in performance.

Re: Compound Search with two sourcetypes

hartfoml — Tue, 16 Apr 2013 20:28:33 GMT

If I get the IDS alert and it is not denied by the proxy then an exploit is at hand. If the traffic is denied I can look at it later and don't need the alert right now.

So the !DENIED will generate an event that I can alert on.

Re: Compound Search with two sourcetypes

sideview — Tue, 16 Apr 2013 20:29:49 GMT

When a subsearch is processed, it's the inner subsearch that is run first, so in jonuwz's example, the malware-cnc search is processed first, and it's only the src and dest ip's of the malware search IP's that are then searched for in the proxy data.

Re: Compound Search with two sourcetypes

hartfoml — Tue, 16 Apr 2013 20:31:12 GMT

Also using the transforms I have in right now the IDS uses "src" for the source IP and the proxy uses "src_ip".

How would I right the search to convert the IP from one tag to another for the subsearch?

Re: Compound Search with two sourcetypes

sideview — Tue, 16 Apr 2013 20:34:12 GMT

Assuming it's dst and dst_ip on the destination side, it's as follows:

sourcetype=proxy action!=DENIED [ sourcetype=IDS "MALWARE-CNC" | fields src dst | dedup src dst | rename src as src_ip dst as dst_ip ]

Re: Compound Search with two sourcetypes

theouhuios — Tue, 16 Apr 2013 20:35:39 GMT

rename should do that.

Re: Compound Search with two sourcetypes

hartfoml — Mon, 28 Sep 2020 13:44:38 GMT

Nick thanks for the help. Here is the search I used

sourcetype="bcoat_proxysg" action!=TCP_DENIED [ sourcetype=IDS "MALWARE-CNC" | fields src dst | dedup src dst | rename src as src_ip dst as dst_ip ]

I get this error "Search operation 'sourcetype' is unknown. You might not have permission to run this operation."

Re: Compound Search with two sourcetypes

jonuwz — Tue, 16 Apr 2013 22:15:01 GMT

whoops - updated answer ....