topic Re: How do I join my epO events with my user login events? in Splunk Search

How do I join my epO events with my user login events?

gods_warrior — Wed, 04 May 2016 21:49:45 GMT

I am trying to alert on when a specific user logs into an affected / malware not cleaned machine. I am using the following search, but can't seem to get the join to work. All I see are the signatures from the Windows events, but nothing from McAfee..

index=wineventlog EventCode=4624 | lookup privileged_users.csv user | search nick="*" | join type=left user [search index=mcafee sourcetype="mcafee:epo:av" threat_handled=0 field user | rename user as pua] | stats count by pua

Thoughts?

Re: How do I join my epO events with my user login events?

MuS — Wed, 04 May 2016 22:02:56 GMT

Hi gods_warrior,

you're joining on user but the subsearch does not return a user field it returns pua.

Anyway you can run this as one search without using join - see reason for that here https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-join-append-or-use-of-subsearches.html or in the March 2016 virtual .conf here http://wiki.splunk.com/Virtual_.conf

Back to your search:

( index=wineventlog EventCode=4624 search nick="*" ) OR ( index=mcafee sourcetype="mcafee:epo:av" threat_handled=0 field user ) 
| lookup privileged_users.csv user 
| stats count by user *any other further needed fields*

This should return a count of user from both indexes. Also this should straight away because you will get user from index=wineventlog and from index=mcafee based on your provided search example.

Hope this helps ...

cheers, MuS

Re: How do I join my epO events with my user login events?

gods_warrior — Wed, 04 May 2016 22:20:47 GMT

MuS .. Thanks for the reply. Still doesn't work .. the nick value is a field name in the lookup value for privileged_users.csv .. really what I am hoping to see is the user and signatures which I can add output as the following results. User logs into device that is infected and I can see the complete correlation on that result.

Re: How do I join my epO events with my user login events?

MuS — Wed, 04 May 2016 22:23:05 GMT

Can you provide examples from both sources please?

Meanwhile try this:

( index=wineventlog EventCode=4624 ) OR ( index=mcafee sourcetype="mcafee:epo:av" threat_handled=0 field user ) 
 | lookup privileged_users.csv user 
 | search nick="*"
 | stats count by user *any other further needed fields*

Re: How do I join my epO events with my user login events?

gods_warrior — Wed, 04 May 2016 22:48:35 GMT

I can't provide samples for compliance reasons. However, the search shows the succesful login event from windows but I don't see any correlation from the mcafee logs .. also I changed the value 0f =0 to =1 in the mcafee subsearch it doesn't appear to be reading the subsearch only the windows search..

Re: How do I join my epO events with my user login events?

MuS — Wed, 04 May 2016 23:10:46 GMT

Okay let's do this step by step:

index=wineventlog EventCode=4624

this returns a field called user, I know because you use it is the lookup 😉

| lookup privileged_users.csv user
the mentioned lookup the enrich user information

index=mcafee sourcetype="mcafee:epo:av" threat_handled=0 field user
as long as this search returns a field called user as well, you can use stats to group it by this field.

Please verify each search and make sure they both return a user field.
Don't use a sub search for this 😉

Re: How do I join my epO events with my user login events?

gods_warrior — Wed, 04 May 2016 23:40:31 GMT

I know that the user fields do exist in both searches. However, I don't see any type of signature or user logs from the mcafee search. The only think I see are the windows events. not sure why I am not seeing any output from the McAfee events..

Re: How do I join my epO events with my user login events?

MuS — Thu, 05 May 2016 00:24:46 GMT

check the time range and/or only search for the McAfee events to make sure they are available