Archive
Highlighted

Subsearches & Joins

Communicator

Hi Team,

I'm writing a search that will alert when a user account authenticates and is granted privileges. Our admin-team often use the Remote Control Viewer to remote into assets, and we would like to exclude them. Unfortunately, we don't have a standardised naming convention, so we can exclude some admin accounts, but not all of them.

I want to write a search that takes the AccountName, and then runs a sub-search to identify whether that AccountName has been associated with the NewProcessName of *RemoteControlViewer.exe and, if they have, exclude them.

I've got the below logic and I've played around with multiple types of join and appendcols, but I'm getting nowhere. Can someone help?

sourcetype=WinEventLog:Security (EventCode=4732 OR EventCode=4672) AND (Account_Name!="svc*" Account_Name!="SYSTEM" Account_Name!="*$" Account_Name!="*dmin" Account_Domain="<DOMAIN>") 
| join Account_Name 
    [ search sourcetype=WinEventLog:Security EventCode=4688 
    | stats values(New_Process_Name) AS NPN by Account_Name
    | fields NPN] 
| search NOT 
    [| inputlookup WL_Global 
    | rename src as Source_Network_Address 
    | fields Source_Network_Address] 
| search NOT 
    [| inputlookup WL_B_10_104 
    | fields Account_Name, host] 
| fillnull value=N/A Group_Domain Group_Name 
| eval Target_Account=mvindex(Security_ID, -0) 
| convert ctime(_time) as Time timeformat="%H:%M:%S %d/%m/%y" 
| stats values(Account_Domain) as Account_Domain values(NPN) as New_PN values(name) as name values(Group_Name) as Group_Name values(Group_Domain) as Group_Domain by Account_Name host Time
| search New_PN!=*RemoteControlViewer.exe
| fields Time Account_Name host Account_Domain name Group_Name Group_Domain

Any assistance would be greatly appreciated.

Tags (1)
0 Karma
Highlighted

Re: Subsearches & Joins

Motivator

I think your troubles lie with the join command. Check out the join documentation.

When using the join command, one or more fields must be common between the base search and the sub search. (They are specified right after the join command.) In your case, the specified common field is Account_Name, but the subsearch only returns the field NPN. So there will be no matches.

I think it might be easier here to use a subsearch instead of a join operation. Try it like this:

sourcetype=WinEventLog:Security (EventCode=4732 OR EventCode=4672) AND (Account_Name!="svc*" Account_Name!="SYSTEM" Account_Name!="*$" Account_Name!="*dmin" Account_Domain="<DOMAIN>") 
NOT [search sourcetype=WinEventLog:Security EventCode=4688 New_Process_Name="*RemoteControlViewer.exe"
   | table Account_Name] 
...
0 Karma