Splunk Enterprise Security
Highlighted

Correlation Search - results not displaying correctly

Explorer

Ive been spending a long time trying to get 1 correlation search working. The search is to find non standard hostnames that have been assigned a dhcp address, this would cover a scenario where a rogue laptop is plugged into the network.

The search I am using is:

description=assign | search dest!=Prefix1* | search dest!=Prefix2* | search dest!=Prefix3* | search dest!=Prefix4* | destip!=10.50.x.1/20 destip!=10.51.x.1/21 destip!=10.49.x.1/27 | rex mode=sed field=dest "s/.company.domain.com//g" | where dest!=destmac

Prefix1, Prefix2 etc are known hostnames that follow a naming convention.

Some VOIP phone devices that use dhcp have a hostname that is the same as their mac address which is why there is 'where dest!=dest_mac

In the notable search itself I have:

Notable event title:
Suspicious Host Discovered - $dest$ at $time$ on $date$

Notable event description:
The system $dest$ has been assigned an IP Address

Start time is: -3d (so I get some initial result, this will change to -5 when proven working)
End time is: now
cron: set to run every 5 mins

The goal is to search the last 5 mins of dhcp logs every 5 mins using the search above so that an unknown host that uses dhcp can quickly be discovered.

However in the Incident Review dashboard the title is displayed as:
Suspicious Host Discovered - unknown at unknown on unknown

It doesnt appear to read the field results correctly.

I've run this search manually in a standard search and I have 3-4 results when searching over the last 3 days.

Also, what happens if the correlation search finds multiple hostnames that fit the criterea of the search, does it create seperate notable events?

Thanks

0 Karma
Highlighted

Re: Correlation Search - results not displaying correctly

Esteemed Legend

Perhaps the reason it is not working is because you left out the last 2 | search strings but you should not split your base search logic that way anyway; it wastes CPU and memory; try this:

description=assign dest!=Prefix1* dest!=Prefix2* dest!=Prefix3* dest!=Prefix4* dest_ip!="10.50.x.1/20 dest_ip!=10.51.x.1/21" dest_ip!="10.49.x.1/27" | rex mode=sed field=dest "s/.company.domain.com//g" | where dest!=dest_mac
0 Karma
Highlighted

Re: Correlation Search - results not displaying correctly

Explorer

Thanks Woodcock,

I did try that syntax initially, however it does not parse correctly (used guided mode to confirm).

Splunk ES does not like the wildcard * I believe.

0 Karma
Highlighted

Re: Correlation Search - results not displaying correctly

Esteemed Legend

Then do this:

description=assign dest_ip!="10.50.x.1/20 dest_ip!=10.51.x.1/21" dest_ip!="10.49.x.1/27" | regex dest!="^(?:Prefix1|Prefix2|Prefix3|Prefix4)*" | rex mode=sed field=dest "s/.company.domain.com//g" | where dest!=dest_mac

And if it still won't take the wildcard, try this:

description=assign dest_ip!="10.50.x.1/20 dest_ip!=10.51.x.1/21" dest_ip!="10.49.x.1/27" | rex mode=sed field=dest "s/.company.domain.com//g" | where NOT like(dest, "Prefix1%") AND NOT like(dest, "Prefix2%") AND NOT like(dest, "Prefix3%") AND NOT like(dest, "Prefix4%") AND dest!=dest_mac
0 Karma
Highlighted

Re: Correlation Search - results not displaying correctly

Explorer

The second command is having some results, although the dest_ip! filtering is not working, am working on that..

0 Karma
Highlighted

Re: Correlation Search - results not displaying correctly

Esteemed Legend

Just convert that part to NOT LIKE, too.

0 Karma
Highlighted

Re: Correlation Search - results not displaying correctly

Explorer
sourcetype=DhcpSrvLog description=assign | rex mode=sed field=dest "s/.company.domain.com//g" | where NOT like(dest, "Prefix1%") AND NOT like(dest, "Prefix2%") AND NOT like(dest, "Prefix3%") AND NOT like(dest, "Prefix4%") AND NOT like(dest_ip, "10.50.96.1/20") AND NOT like(dest_ip, "10.51.80.1/21") AND NOT like(dest_ip, "10.49.16.1/27") AND dest!=dest_mac

Running this search now. The Prefix filtering is working, however the NOT like(dest_ip, "10.51.80.1./21) IP range filtering is not working. The results include those IP ranges

0 Karma
Highlighted

Re: Correlation Search - results not displaying correctly

Esteemed Legend

You cannot specify IP ranges/subnets like that; you need to specify it more literally using SQL like syntax.

0 Karma
Highlighted

Re: Correlation Search - results not displaying correctly

Explorer

Have used this for CIDR, is now working:

where NOT cidrmatch("10.49.16.1/27",dest_ip)
0 Karma
Highlighted

Re: Correlation Search - results not displaying correctly

Explorer

1 more question -

search results are being matched by case..
By using

NOT like(dest, "PREFIX1%")

I will still have results that are "Prefix1" or "prefix1" - how can I make the search case insensitive?

0 Karma