Splunk Enterprise Security

Correlate two search results.

New Member

Hello,

I have a two queries from two DM (Authentication and Change-Analysis).

Task: Basically, I need to exclude the users who have changed the password themselves in the last 3 days for a brute force detection.

I am having hardtime in merge two results from two DM's. The query which is using Authentication DM is grouped src and the other query which is using Change-analysis does not src fieled, but both have "user" field in common. How do I merge them?

can we join these two queries using common field "user" or subsearch?

The below is not the actual working. but it tells that I need to join the subsearch. Please let me know if you still need more clarication on this.

Sample:
| from datamodel:"Authentication"."Authentication"
| search user!=[search index=oswinsec earliest=-72h@h latest=-1h@h tag=account ((EventCode=4723 status=success) OR (EventCode=4738 action=modified)) user!="$" | stats dc(EventCode) as count by user | where count=2 | table user]
| stats count(eval('action'=="failure")) as failure,count(eval('action'=="success")) as success by src

0 Karma

New Member

Thanks for the repsonse. I think it works, but I have major question. Please find the following query where the query is run for the last 24 hours. however, will the subsearch alone go 120h back in the timeline and give the results and be fed into the top search query which is being run for 24 hours?

| from datamodel:"Authentication"."Authentication"
| search user NOT [search index=oswinsec earliest=-120h@h latest=+0s tag=account EventCode=4724 | stats count by user | fields user]
| stats count(eval('action'=="failure")) as failure,count(eval('action'=="success")) as success by src

0 Karma

SplunkTrust
SplunkTrust

Yes, you should still be able to use diff time period, just need to make sure the subsearch doesn't reach limits.

0 Karma

New Member

Thanks Lakshman. Would you tell me what you mean my limits in subsearch?

0 Karma

SplunkTrust
SplunkTrust

Generally, we try to avoid using subsearch, as if it runs more than 60 secs, splunk stops it and limits the number of results. This is something you need to be aware, but in your case since you are using stats, hopefully, the results are quicker - https://docs.splunk.com/Documentation/Splunk/7.2.4/SearchTutorial/Useasubsearch

0 Karma

New Member

Thank you.

0 Karma

SplunkTrust
SplunkTrust

if you are happy with the solution/approach, pls accept the solution to close tracking.

0 Karma

SplunkTrust
SplunkTrust

If you have a common field in both datamodel, you should still be able to use them [ join/append/subsearch] like normal searches. Here is a search I noticed in one of the conf paper using append to take data from diff DM.

If you share your search, we can look further

| tstats prestats=t summariesonly=t count(Malware_Attacks.src) as malwarehits from datamodel=Malware where Malware_Attacks.action=allowed groupby Malware_Attacks.src

| tstats prestats=t append=t summariesonly=t count(web.src) as webhits from datamodel=Web where web.http_user_agent="shockwave flash" groupby web.src

 | tstats prestats=t append=t summariesonly=t count(All_Changes.dest) from datamodel=Change_Analysis where sourcetype=carbon_black OR sourcetype=sysmon groupby All_Changes.dest
 | rename web.src as src Malware_Attacks.src as src All_Changes.dest as src
 | stats count(Malware_Attacks.src) as malwarehits count(web.src) as webhits count(All_Changes.dest) as process_launches by src
0 Karma

New Member

Thanks for the repsonse. I think it works, but I have major question. Please find the following query where the query is run for the last 24 hours. however, will the subsearch alone go 120h back in the timeline and give the results and be fed into the top search query which is being run for 24 hours?

| from datamodel:"Authentication"."Authentication"
| search user NOT [search index=oswinsec earliest=-120h@h latest=+0s tag=account EventCode=4724 | stats count by user | fields user]
| stats count(eval('action'=="failure")) as failure,count(eval('action'=="success")) as success by src

0 Karma

New Member

Would this work?

| search user NOT [search index=oswinsec earliest=-72h@h latest=-1h@h tag=account ((EventCode=4723 status=success) OR (EventCode=4738 action=modified)) user!="$" | stats dc(EventCode) as count by user | where count=2 | table user]

0 Karma

SplunkTrust
SplunkTrust

Have you tried it?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

New Member

Thanks for the repsonse. I think it works, but I have major question. Please find the following query where the query is run for the last 24 hours. however, will the subsearch alone go 120h back in the timeline and give the results and be fed into the top search query which is being run for 24 hours?

| from datamodel:"Authentication"."Authentication"
| search user NOT [search index=oswinsec earliest=-120h@h latest=+0s tag=account EventCode=4724 | stats count by user | fields user]
| stats count(eval('action'=="failure")) as failure,count(eval('action'=="success")) as success by src

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!