Splunk Enterprise Security

Multisearching

celdridge1988
Engager

Hi All,
First post on here. Hopefully this makes sense and isn't overly convoluted.

So, I have a datamodel correlation search in Enterprise Security that looks for accounts being deleted:

| from datamodel:"Change_Analysis"."Account_Management" | where 'tag'="delete" | search NOT "changed: /usr*" | stats max(_time) as "lastTime",latest(_raw) as "orig_raw",values(result) as "signature",values(src) as "src",values(dest) as "dest",count by "src_user","user" | where 'count'>0

This is great, however I have an access management team and I don't want their accounts to trigger a notable event. I understand that I can put exceptions in for each member of the team, but there would be an admin overhead to keep this up to date.
I have a ldapsearchthat extracts the surnames of the team members from active directory:

| ldapsearch search="(&(objectClass=group) (cn=*))" attrs="member,sAMAccountName" basedn="CN=<GroupName>,OU=<OU>,DC=<DC>" 
| rex field=member "CN=([^,\d]*)* (?<Surnames>[^,\d]*)" 
| table Surnames 
| mvexpand Surnames

Is there a way to combine these searches and get the correlation search to look at the list of surnames and not trigger if a match is found? They won't be an exact match but the surname of the user will be present in the account name used to admin my DC.

Thanks all!!

0 Karma
1 Solution

gfreitas
Builder

Hi I would suggest you write the results from your ldapsearch to a lookup, let's say access_mgmt_team.csv.
Then I would change the correlation search to not search for those users using the format command. Example below of a subsearch

| from datamodel:"Change_Analysis"."Account_Management" 
| where 'tag'="delete" 
| search NOT "changed: /usr*"  [|inputlookup access_mgmt_team.csv | format "(" "NOT (" "AND" ")" "OR" ")"]
| stats max(_time) as "lastTime",latest(_raw) as "orig_raw",values(result) as "signature",values(src) as "src",values(dest) as "dest",count by "src_user","user" 
| where 'count'>0

Hope this helps

View solution in original post

gfreitas
Builder

Hi I would suggest you write the results from your ldapsearch to a lookup, let's say access_mgmt_team.csv.
Then I would change the correlation search to not search for those users using the format command. Example below of a subsearch

| from datamodel:"Change_Analysis"."Account_Management" 
| where 'tag'="delete" 
| search NOT "changed: /usr*"  [|inputlookup access_mgmt_team.csv | format "(" "NOT (" "AND" ")" "OR" ")"]
| stats max(_time) as "lastTime",latest(_raw) as "orig_raw",values(result) as "signature",values(src) as "src",values(dest) as "dest",count by "src_user","user" 
| where 'count'>0

Hope this helps

celdridge1988
Engager

Hi, Thank you for such a quick response.
I've created the lookup however it's not removing the entries for the team. Could it be because i'm only extracting their surnames from the lookup which isn't exactly the user account name? For instance, using the name 'John Smith' as an example to this situation. The LDAP search would take 'Smith' and list it in the .csv. The account name format he would have is 'dd_smithl' so I want to compare the csv, get it to see smith is there and detect smith in the account name.
Sorry, Getting quite complex now.

0 Karma

gfreitas
Builder

Hi, I would suggest you get a wildcard before and after the surnames that way the lookup entry would look like smith. To do that you can edit the ldapsearch query and add the following in the end: | eval Surname= "*" + Surname + "*". That should add the wildcards on the lookup you're using to whitelist.
Hopefully that helps

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...