Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Intrusion detection datamodel providing different results when search is executed in different order

rahulhari88
Explorer
‎10-04-2021 05:56 AM

Hi All ,
Can some one help me understand why  similar query gives me 2 different results for a intrusion detection datamodel . Only difference bw 2 is the order .
Query 1:
| tstats summariesonly=true values(IDS_Attacks.dest) as dest values(IDS_Attacks.dest_port) as port from datamodel=Intrusion_Detection where IDS_Attacks.ICS_Asset=Yes IDS_Attacks.url=* by IDS_Attacks.src,IDS_Attacks.transport,IDS_Attacks.url
| eval source="wildfire"
| rename IDS_Attacks.url as wildfireurl
| rex field=wildfireurl "(?P<domain>[^\/]*)"
| lookup rf_url_risklist.csv Name as wildfireurl OUTPUT EvidenceDetails Risk
| lookup idefense_http_intel ip as wildfireurl OUTPUT description weight
| lookup rf_domain_risklist.csv Name as domain OUTPUT RiskString
| search EvidenceDetails =* OR description=* OR RiskString=*
| rename "IDS_Attacks.*" as *
| append
   [| tstats summariesonly=true values(All_Traffic.dest) as dest values(All_Traffic.app) as app values(All_Traffic.http_category) as http_category from datamodel=Network_Traffic where All_Traffic.ICS_Asset=Yes All_Traffic.action=allowed app!="insufficient-data" app!="incomplete"
       [| inputlookup ids_malicious_ip_tracker
       | fields src
       | rename src AS All_Traffic.src ] by All_Traffic.src,All_Traffic.transport,All_Traffic.dest_port
   | lookup n3-a_cidr_wlist.csv cidr_range as All_Traffic.src OUTPUT cidr_range as src_match
   | where src_match="NONE" OR isnull(src_match)
   | fields - src_match
   | lookup rf_ip_risklist.csv Name as All_Traffic.src OUTPUT EvidenceDetails Risk
   | lookup idefense_ip_intel ip as All_Traffic.src OUTPUT description weight
   | lookup ips_tor.csv ip as All_Traffic.src output app as app
   | search EvidenceDetails =* OR description=* OR app="tor"
   | where Risk > 69 OR weight > 40 OR app="tor"
   | eval rf_evidence_details_0 = mvappend(EvidenceDetails, description)
   | fields - description, EvidenceDetails
   | eval Attack_Count = mvcount(rf_evidence_details_0)
   | search NOT All_Traffic.src=10.0.0.0/8 OR All_Traffic.src=192.168.0.0/16 OR All_Traffic.src=172.16.0.0/12
   | rename "All_Traffic.*" as *]
| append
   [| tstats summariesonly=true count values(All_Traffic.action) values(All_Traffic.http_category) as http_category from datamodel=Network_Traffic where All_Traffic.ICS_Asset=Yes by All_Traffic.src, All_Traffic.transport, All_Traffic.dest_port, All_Traffic.dest
   | lookup rf_ip_risklist.csv Name as All_Traffic.dest OUTPUT EvidenceDetails Risk
   | lookup idefense_ip_intel ip as All_Traffic.dest OUTPUT description weight
   | search EvidenceDetails =* OR description=*
   | where Risk > 69 OR weight > 40
   | eval rf_evidence_details_0 = mvappend(EvidenceDetails, description)
   | fields - description, EvidenceDetails
   | eval Attack_Count = mvcount(rf_evidence_details_0)
   | search count > 100
   | search All_Traffic.src=10.0.0.0/8 OR All_Traffic.src=192.168.0.0/16 OR All_Traffic.src=172.16.0.0/12
   | rename "All_Traffic.*" as *]
Second Query :
| tstats summariesonly=true count values(All_Traffic.action) values(All_Traffic.http_category) as http_category from datamodel=Network_Traffic where All_Traffic.ICS_Asset=Yes by All_Traffic.src, All_Traffic.transport, All_Traffic.dest_port, All_Traffic.dest
| lookup rf_ip_risklist.csv Name as All_Traffic.dest OUTPUT EvidenceDetails Risk
| lookup idefense_ip_intel ip as All_Traffic.dest OUTPUT description weight
| search EvidenceDetails =* OR description=*
| where Risk > 69 OR weight > 40
| eval rf_evidence_details_0 = mvappend(EvidenceDetails, description)
| fields - description, EvidenceDetails
| eval Attack_Count = mvcount(rf_evidence_details_0)
| search count > 100
| search All_Traffic.src=10.0.0.0/8 OR All_Traffic.src=192.168.0.0/16 OR All_Traffic.src=172.16.0.0/12
| rename "All_Traffic.*" as *
| append
   [| tstats summariesonly=true values(All_Traffic.dest) as dest values(All_Traffic.app) as app values(All_Traffic.http_category) as http_category from datamodel=Network_Traffic where All_Traffic.ICS_Asset=Yes All_Traffic.action=allowed app!="insufficient-data" app!="incomplete"
       [| inputlookup ids_malicious_ip_tracker
       | fields src
       | rename src AS All_Traffic.src ] by All_Traffic.src,All_Traffic.transport,All_Traffic.dest_port
   | lookup n3-a_cidr_wlist.csv cidr_range as All_Traffic.src OUTPUT cidr_range as src_match
   | where src_match="NONE" OR isnull(src_match)
   | fields - src_match
   | lookup rf_ip_risklist.csv Name as All_Traffic.src OUTPUT EvidenceDetails Risk
   | lookup idefense_ip_intel ip as All_Traffic.src OUTPUT description weight
   | lookup ips_tor.csv ip as All_Traffic.src output app as app
   | search EvidenceDetails =* OR description=* OR app="tor"
   | where Risk > 69 OR weight > 40 OR app="tor"
   | eval rf_evidence_details_0 = mvappend(EvidenceDetails, description)
   | fields - description, EvidenceDetails
   | eval Attack_Count = mvcount(rf_evidence_details_0)
   | search NOT All_Traffic.src=10.0.0.0/8 OR All_Traffic.src=192.168.0.0/16 OR All_Traffic.src=172.16.0.0/12
   | rename "All_Traffic.*" as *]
| append
   [| tstats summariesonly=true values(IDS_Attacks.dest) as dest values(IDS_Attacks.dest_port) as port from datamodel=Intrusion_Detection where IDS_Attacks.ICS_Asset=Yes IDS_Attacks.url=* by IDS_Attacks.src,IDS_Attacks.transport,IDS_Attacks.url
   | eval source="wildfire"
   | rename IDS_Attacks.url as wildfireurl
   | rex field=wildfireurl "(?P<domain>[^\/]*)"
   | lookup rf_url_risklist.csv Name as wildfireurl OUTPUT EvidenceDetails Risk
   | lookup idefense_http_intel ip as wildfireurl OUTPUT description weight
   | lookup rf_domain_risklist.csv Name as domain OUTPUT RiskString
   | search EvidenceDetails =* OR description=* OR RiskString=*
   | rename "IDS_Attacks.*" as *] (edited) 
 above query has 3 parts suspicious inbound ,suspicious outbound and suspicious url . While executing the first query i am getting 1 result and while executing 2 query i am getting 6 results for the same time frame

Labels (1)
Labels
Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...