Splunk Search

LISPY issues with Windows Defender Logs


Hey Splunkers,

in the last days I'm trying to learn and understand the principles of LISPY to understand the fllowing phenomenon. By now I can tell that I've learned a lot but still can't comprehend the behaviour of Splunk putting its LISPY queries  together.

Szenario: Our analysts are working with Windows Defender Logs and therefore we are using two TAs (https://splunkbase.splunk.com/app/3734/ and https://splunkbase.splunk.com/app/5208/) to extract and normalize the data. The TA by nextpart does a renaming of the source and a automatic lookup as you can see in this props.conf


[source::...WinEventLog:Microsoft-Windows-Windows Defender/Operational]
# Default shorten to easy readable source
EVAL-source = "XmlWinEventLog:Defender"
LOOKUP-CategoryString_for_windows = windefender_signature_lookup signature_id OUTPUTNEW action, CategoryString, result, subsystem



 I understand what is happening here so far, but now we have a strange behaviour whie running SPL on the data where we used the fields "index", "source" and "CategoryString". "CategoryString" comes as output fromthe automatic lookup. That was when i took a closer look at the LISPY and was able to locate the problem:


index=indexname source="XmlWinEventLog:Defender" CategoryString=action

[ AND action index::indexname [ OR source::*wineventlog:microsoft-windows-windows\ defender/operational source::xmlwineventlog:defender ] ]


index=indexname SourceName="Microsoft-Windows-Windows Defender" CategoryString=action

[ AND defender index::indexname microsoft windows [ OR action source::*wineventlog:microsoft-windows-windows\ defender/operational ] ]


As far as I understand the string "action" is not found in tsidx file as it is returned as a field value from a automatic lookup and that's why our first LISPY does not provide any data and the SPL gives back 0 results. In the second SPL where we used SourceName (not indexed) instead of Source (indexed) the LISPY looked different and worked as the string "action" is now in OR-clause and not in the AND-clause at the beginning...

My questions now are:

  • As I'm a very curious guy, can someone explain this behaviour to me?
  • What would / could be a good way or workaround to "fix" this so that the field "source" and "CategoryString" can be used together?



Tags (1)
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!