Splunk Search

Correlated search query

kestasm
Path Finder

Hi there,

I need to develop a search query which looks for the specific file download after one file was downloaded for the same user IP. The idea is as below example iliustrates:

http_method="GET" http_content_type="application/x-silverlight-app" | regex cs_uri_path="\/\d{3,4}.xap$"

So this query looks for just .xap extension file downloads. This is related to the Goon exploit kit, which afterwards (in a second matter) then tries to pull a .jar extension file. So I'd like to tune this query to get only the examples/alerts when this additional .jar file attempt appears for the same source IP. Any ideas?
Thanks.

Tags (2)

Ayn
Legend

As often otherwise, using a subsearch is a great way to create correlating searches like this.

First run your subsearch that finds all clients that have downloaded .xap files, then matches this against clients that have attempted to download .jar files too. (An assumption in my search below is that the source IP exists in the field "s_ip" - if it doesn't, just change the field name to the correct one)

http_method="GET" cs_uri_path="*.jar" [search http_method="GET" http_content_type="application/x-silverlight-app" cs_uri_path="*.xap" | regex cs_uri_path="/\d{3,4}\.xap$" | fields s_ip]

I also took the liberty to add cs_uri_path="*.jar". This should improve performance for your search because Splunk can narrow down the events it needs to read off disk before passing those on to the regex command.

EDIT: So, in order to weigh in a time factor here, I imagine you could do something like this:

http_method="GET" cs_uri_path="*.jar" [search http_method="GET" http_content_type="application/x-silverlight-app" cs_uri_path="*.xap" | regex cs_uri_path="/\d{3,4}\.xap$" | eval query="_time<"._time+5 | fields query s_ip]

This adds a _time constraint so you're only looking for .jar downloads 5 seconds after the .xap download. I haven't tried this out so I can't guarantee it'll work but it should 🙂

somesoni2
Revered Legend

Use subsearch eval like this
| eval query="_time<".(_time+5)

kestasm
Path Finder

Thanks,

will try to test, from the first glance there is some formatting issue, as not used this approach before, aren't very good at troubleshooting it:

Error in 'eval' command: Typechecking failed. '+' only takes two strings or two numbers.

0 Karma

Ayn
Legend

No that's correct. If you want to limit your timeframe that is a lot trickier. Frankly doing things like "I want to find client X if it first did this then within yy time did this" is not something Splunk is very good at - there are some ways of doing similar things but nothing really good built in.

That said, I'm editing my answer with a suggestion on how you could achieve what you want.

0 Karma

kestasm
Path Finder

Hi Ayn,
thanks much for the answer. Will try to test this, looks like this is the thing I've needed. What about timeframe here? If am interested only for the first few seconds after the .xap was downloaded to monitor for any .jar pulls? Cause otherwise it could give me the results where .jar was downloaded not in relation to the .xap download... Corect me if I am wrong here?

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...