How do I join my epO events with my user login eve...

gods_warrior · ‎05-04-2016

I am trying to alert on when a specific user logs into an affected / malware not cleaned machine. I am using the following search, but can't seem to get the join to work. All I see are the signatures from the Windows events, but nothing from McAfee..

index=wineventlog EventCode=4624 | lookup privileged_users.csv user | search nick="*" | join type=left user [search index=mcafee sourcetype="mcafee:epo:av" threat_handled=0 field user | rename user as pua] | stats count by pua

Thoughts?

MuS · ‎05-04-2016

Hi gods_warrior,

you're joining on user but the subsearch does not return a user field it returns pua.

Anyway you can run this as one search without using join - see reason for that here https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo... or in the March 2016 virtual .conf here http://wiki.splunk.com/Virtual_.conf

Back to your search:

( index=wineventlog EventCode=4624 search nick="*" ) OR ( index=mcafee sourcetype="mcafee:epo:av" threat_handled=0 field user ) 
| lookup privileged_users.csv user 
| stats count by user *any other further needed fields*

This should return a count of user from both indexes. Also this should straight away because you will get user from index=wineventlog and from index=mcafee based on your provided search example.

Hope this helps ...

cheers, MuS

gods_warrior · ‎05-04-2016

MuS .. Thanks for the reply. Still doesn't work .. the nick value is a field name in the lookup value for privileged_users.csv .. really what I am hoping to see is the user and signatures which I can add output as the following results. User logs into device that is infected and I can see the complete correlation on that result.

MuS · ‎05-04-2016

Can you provide examples from both sources please?

Meanwhile try this:

( index=wineventlog EventCode=4624 ) OR ( index=mcafee sourcetype="mcafee:epo:av" threat_handled=0 field user ) 
 | lookup privileged_users.csv user 
 | search nick="*"
 | stats count by user *any other further needed fields*

gods_warrior · ‎05-04-2016

I can't provide samples for compliance reasons. However, the search shows the succesful login event from windows but I don't see any correlation from the mcafee logs .. also I changed the value 0f =0 to =1 in the mcafee subsearch it doesn't appear to be reading the subsearch only the windows search..

MuS · ‎05-04-2016

Okay let's do this step by step:

index=wineventlog EventCode=4624

this returns a field called user, I know because you use it is the lookup 😉

| lookup privileged_users.csv user
the mentioned lookup the enrich user information

index=mcafee sourcetype="mcafee:epo:av" threat_handled=0 field user
as long as this search returns a field called user as well, you can use stats to group it by this field.

Please verify each search and make sure they both return a user field.
Don't use a sub search for this 😉

gods_warrior · ‎05-04-2016

I know that the user fields do exist in both searches. However, I don't see any type of signature or user logs from the mcafee search. The only think I see are the windows events. not sure why I am not seeing any output from the McAfee events..

MuS · ‎05-04-2016

check the time range and/or only search for the McAfee events to make sure they are available

How do I join my epO events with my user login events?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes