Splunk Search

Intrusion detection datamodel providing different results when search is executed in different order

rahulhari88
Explorer

Hi All ,
Can some one help me understand why  similar query gives me 2 different results for a intrusion detection datamodel . Only difference bw 2 is the order .
Query 1:
| tstats summariesonly=true values(IDS_Attacks.dest) as dest values(IDS_Attacks.dest_port) as port from datamodel=Intrusion_Detection where IDS_Attacks.ICS_Asset=Yes IDS_Attacks.url=* by IDS_Attacks.src,IDS_Attacks.transport,IDS_Attacks.url
| eval source="wildfire"
| rename IDS_Attacks.url as wildfireurl
| rex field=wildfireurl "(?P<domain>[^\/]*)"
| lookup rf_url_risklist.csv Name as wildfireurl OUTPUT EvidenceDetails Risk
| lookup idefense_http_intel ip as wildfireurl OUTPUT description weight
| lookup rf_domain_risklist.csv Name as domain OUTPUT RiskString
| search EvidenceDetails =* OR description=* OR RiskString=*
| rename "IDS_Attacks.*" as *
| append
   [| tstats summariesonly=true values(All_Traffic.dest) as dest values(All_Traffic.app) as app values(All_Traffic.http_category) as http_category from datamodel=Network_Traffic where All_Traffic.ICS_Asset=Yes All_Traffic.action=allowed app!="insufficient-data" app!="incomplete"
       [| inputlookup ids_malicious_ip_tracker
       | fields src
       | rename src AS All_Traffic.src ] by All_Traffic.src,All_Traffic.transport,All_Traffic.dest_port
   | lookup n3-a_cidr_wlist.csv cidr_range as All_Traffic.src OUTPUT cidr_range as src_match
   | where src_match="NONE" OR isnull(src_match)
   | fields - src_match
   | lookup rf_ip_risklist.csv Name as All_Traffic.src OUTPUT EvidenceDetails Risk
   | lookup idefense_ip_intel ip as All_Traffic.src OUTPUT description weight
   | lookup ips_tor.csv ip as All_Traffic.src output app as app
   | search EvidenceDetails =* OR description=* OR app="tor"
   | where Risk > 69 OR weight > 40 OR app="tor"
   | eval rf_evidence_details_0 = mvappend(EvidenceDetails, description)
   | fields - description, EvidenceDetails
   | eval Attack_Count = mvcount(rf_evidence_details_0)
   | search NOT All_Traffic.src=10.0.0.0/8 OR All_Traffic.src=192.168.0.0/16 OR All_Traffic.src=172.16.0.0/12
   | rename "All_Traffic.*" as *]
| append
   [| tstats summariesonly=true count values(All_Traffic.action) values(All_Traffic.http_category) as http_category from datamodel=Network_Traffic where All_Traffic.ICS_Asset=Yes by All_Traffic.src, All_Traffic.transport, All_Traffic.dest_port, All_Traffic.dest
   | lookup rf_ip_risklist.csv Name as All_Traffic.dest OUTPUT EvidenceDetails Risk
   | lookup idefense_ip_intel ip as All_Traffic.dest OUTPUT description weight
   | search EvidenceDetails =* OR description=*
   | where Risk > 69 OR weight > 40
   | eval rf_evidence_details_0 = mvappend(EvidenceDetails, description)
   | fields - description, EvidenceDetails
   | eval Attack_Count = mvcount(rf_evidence_details_0)
   | search count > 100
   | search All_Traffic.src=10.0.0.0/8 OR All_Traffic.src=192.168.0.0/16 OR All_Traffic.src=172.16.0.0/12
   | rename "All_Traffic.*" as *]
Second Query :
| tstats summariesonly=true count values(All_Traffic.action) values(All_Traffic.http_category) as http_category from datamodel=Network_Traffic where All_Traffic.ICS_Asset=Yes by All_Traffic.src, All_Traffic.transport, All_Traffic.dest_port, All_Traffic.dest
| lookup rf_ip_risklist.csv Name as All_Traffic.dest OUTPUT EvidenceDetails Risk
| lookup idefense_ip_intel ip as All_Traffic.dest OUTPUT description weight
| search EvidenceDetails =* OR description=*
| where Risk > 69 OR weight > 40
| eval rf_evidence_details_0 = mvappend(EvidenceDetails, description)
| fields - description, EvidenceDetails
| eval Attack_Count = mvcount(rf_evidence_details_0)
| search count > 100
| search All_Traffic.src=10.0.0.0/8 OR All_Traffic.src=192.168.0.0/16 OR All_Traffic.src=172.16.0.0/12
| rename "All_Traffic.*" as *
| append
   [| tstats summariesonly=true values(All_Traffic.dest) as dest values(All_Traffic.app) as app values(All_Traffic.http_category) as http_category from datamodel=Network_Traffic where All_Traffic.ICS_Asset=Yes All_Traffic.action=allowed app!="insufficient-data" app!="incomplete"
       [| inputlookup ids_malicious_ip_tracker
       | fields src
       | rename src AS All_Traffic.src ] by All_Traffic.src,All_Traffic.transport,All_Traffic.dest_port
   | lookup n3-a_cidr_wlist.csv cidr_range as All_Traffic.src OUTPUT cidr_range as src_match
   | where src_match="NONE" OR isnull(src_match)
   | fields - src_match
   | lookup rf_ip_risklist.csv Name as All_Traffic.src OUTPUT EvidenceDetails Risk
   | lookup idefense_ip_intel ip as All_Traffic.src OUTPUT description weight
   | lookup ips_tor.csv ip as All_Traffic.src output app as app
   | search EvidenceDetails =* OR description=* OR app="tor"
   | where Risk > 69 OR weight > 40 OR app="tor"
   | eval rf_evidence_details_0 = mvappend(EvidenceDetails, description)
   | fields - description, EvidenceDetails
   | eval Attack_Count = mvcount(rf_evidence_details_0)
   | search NOT All_Traffic.src=10.0.0.0/8 OR All_Traffic.src=192.168.0.0/16 OR All_Traffic.src=172.16.0.0/12
   | rename "All_Traffic.*" as *]
| append
   [| tstats summariesonly=true values(IDS_Attacks.dest) as dest values(IDS_Attacks.dest_port) as port from datamodel=Intrusion_Detection where IDS_Attacks.ICS_Asset=Yes IDS_Attacks.url=* by IDS_Attacks.src,IDS_Attacks.transport,IDS_Attacks.url
   | eval source="wildfire"
   | rename IDS_Attacks.url as wildfireurl
   | rex field=wildfireurl "(?P<domain>[^\/]*)"
   | lookup rf_url_risklist.csv Name as wildfireurl OUTPUT EvidenceDetails Risk
   | lookup idefense_http_intel ip as wildfireurl OUTPUT description weight
   | lookup rf_domain_risklist.csv Name as domain OUTPUT RiskString
   | search EvidenceDetails =* OR description=* OR RiskString=*
   | rename "IDS_Attacks.*" as *] (edited) 
 above query has 3 parts suspicious inbound ,suspicious outbound and suspicious url . While executing the first query i am getting 1 result and while executing 2 query i am getting 6 results for the same time frame

Labels (1)
Tags (1)
0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...