Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Different Search Results From Two Macros With Same Contents

securitypaul
Explorer
‎02-01-2022 01:11 AM

Hello everyone. I'm looking for some assistance with a problem where I get differing search results from what should be the same search.

Backstory

I’m testing changes to the “ESCU - Malicious PowerShell Process - Execution Policy Bypass – Rule” so that I can filter out known PowerShell events.

Using the same search head, user,  date and time range, and what should be two identical macros, I get different search results.

 

The original search uses this macro: “malicious_powershell_process___execution_policy_bypass_filter”

The original search is:

| tstats `security_content_summariesonly` values(Processes.process_id) as process_id, values(Processes.parent_process_id) as parent_process_id values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe (Processes.process="* -ex*" OR Processes.process="* bypass *") by Processes.process_id, Processes.user, Processes.dest
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `malicious_powershell_process___execution_policy_bypass_filter`

Search results original macro.PNG


The test search uses this macro: “malicious_powershell_process___execution_policy_bypass_filter-test”

The test search is:

| tstats `security_content_summariesonly` values(Processes.process_id) as process_id, values(Processes.parent_process_id) as parent_process_id values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe (Processes.process="* -ex*" OR Processes.process="* bypass *") by Processes.process_id, Processes.user, Processes.dest
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `malicious_powershell_process___execution_policy_bypass_filter-test`

Search results test macro.PNG

Both macros contain the same content to exclude Splunk Universal Forwarder PowerShell scripts:

search (process!="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -executionPolicy RemoteSigned -command \". 'C:\\Program Files\\SplunkUniversalForwarder\\etc\\apps\\Splunk_TA_windows\\bin\\powershell\\nt6-health.ps1'\"" AND process!="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -executionPolicy RemoteSigned -command \". 'c:\\Program Files\\SplunkUniversalForwarder\\etc\\apps\\Splunk_TA_windows\\bin\\powershell\\nt6-repl-stat.ps1'\"" AND process!="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -executionPolicy RemoteSigned -command \". 'c:\\Program Files\\SplunkUniversalForwarder\\etc\\apps\\Splunk_TA_windows\\bin\\powershell\\nt6-siteinfo.ps1'\"" AND process!="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -executionPolicy RemoteSigned -command \". 'C:\\Program Files\\SplunkUniversalForwarder\\etc\\apps\\Splunk_TA_windows\\bin\\powershell\\dns-zoneinfo.ps1'\"" AND process!="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -executionPolicy RemoteSigned -command \". 'C:\\Program Files\\SplunkUniversalForwarder\\etc\\apps\\Splunk_TA_windows\\bin\\powershell\\dns-health.ps1'\"")

 

Macros.PNG


When I run both searches I get different results and I’m unsure why. The macro appended -test works fine. When I copy its contents to the original macro, that search does not seem to use the new contents.

I made these changes last week and today get the same results.

Any ideas as to what might be causing this?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-01-2022 01:56 AM

If you expand the macros (<ctrl><shift>E) do they expand as you would expect?

I have noticed that sometimes "updated" macros are not always updated in a timely manner, but I haven't figured out when and why this is - usually I keep retrying the update until it works. Sorry, that that is not much help.

0 Karma
Reply

securitypaul
Explorer
‎02-02-2022 01:21 AM

Seems like it was a copy / paste oddity. I edited the macro again and copied / pasted the text back in. It works as expected now.

Perhaps there was some extra hidden characters that were causing an issue.

Thanks for the help.

0 Karma
Reply

securitypaul
Explorer
‎02-01-2022 02:16 AM

Thanks for the reply. Sadly I'm using AWS Workspaces Linux and <ctrl><shift>E doesn't work for some reason. Just prints the e character.

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...