I am trying to alert on when a specific user logs into an affected / malware not cleaned machine. I am using the following search, but can't seem to get the join to work. All I see are the signatures from the Windows events, but nothing from McAfee..
index=wineventlog EventCode=4624 | lookup privileged_users.csv user | search nick="*" | join type=left user [search index=mcafee sourcetype="mcafee:epo:av" threat_handled=0 field user | rename user as pua] | stats count by pua
Thoughts?
Hi gods_warrior,
you're joining on user
but the subsearch does not return a user
field it returns pua
.
Anyway you can run this as one search without using join
- see reason for that here https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo... or in the March 2016 virtual .conf here http://wiki.splunk.com/Virtual_.conf
Back to your search:
( index=wineventlog EventCode=4624 search nick="*" ) OR ( index=mcafee sourcetype="mcafee:epo:av" threat_handled=0 field user )
| lookup privileged_users.csv user
| stats count by user *any other further needed fields*
This should return a count of user from both indexes. Also this should straight away because you will get user
from index=wineventlog
and from index=mcafee
based on your provided search example.
Hope this helps ...
cheers, MuS
MuS .. Thanks for the reply. Still doesn't work .. the nick value is a field name in the lookup value for privileged_users.csv .. really what I am hoping to see is the user and signatures which I can add output as the following results. User logs into device that is infected and I can see the complete correlation on that result.
Can you provide examples from both sources please?
Meanwhile try this:
( index=wineventlog EventCode=4624 ) OR ( index=mcafee sourcetype="mcafee:epo:av" threat_handled=0 field user )
| lookup privileged_users.csv user
| search nick="*"
| stats count by user *any other further needed fields*
I can't provide samples for compliance reasons. However, the search shows the succesful login event from windows but I don't see any correlation from the mcafee logs .. also I changed the value 0f =0 to =1 in the mcafee subsearch it doesn't appear to be reading the subsearch only the windows search..
Okay let's do this step by step:
index=wineventlog EventCode=4624
this returns a field called user
, I know because you use it is the lookup 😉
| lookup privileged_users.csv user
the mentioned lookup the enrich user information
index=mcafee sourcetype="mcafee:epo:av" threat_handled=0 field user
as long as this search returns a field called user as well, you can use stats
to group it by this field.
Please verify each search and make sure they both return a user field.
Don't use a sub search for this 😉
I know that the user fields do exist in both searches. However, I don't see any type of signature or user logs from the mcafee search. The only think I see are the windows events. not sure why I am not seeing any output from the McAfee events..
check the time range and/or only search for the McAfee events to make sure they are available