Splunk Search

Nested sub searches return no result

thierry_15
Loves-to-Learn

Hi and thanks a lot for your help !

My goal :

Finding processes that made suspicious DNS requests around user Logon

It seems that nested sub searches could make the job so here is my request :

 

 

event_simpleName=Process

[search event_simpleName=DNSrequest

[ search ComputerName IN ("Computer*") event_simpleName=UserLogon NOT UserName IN ("SYSTEM","*$","LOCAL SERVICE","DWM-*", "SERVICE LOCAL")
| dedup ComputerName, UserName
| rename _time AS earliest
| eval latest=earliest+120
| fields earliest, latest, ComputerName ]

| where match(DomainName,"(?i)(^.*\.(surf|cam|date|eu)$)")
| where NOT match(DomainName,".*(amaz)") | rename CProcessId as TProcessId | fields ComputerName, TProcessId ]

 

 

 

What I try to do / what I understand :

Subsearch_1 :
- try to find user logon and use dedup to reduce the number of events.
- using "fields", I pass to "Subsearch_2", three "parameters" : earliest, latest, ComputerName.  Field "ComputerName" exists in "DNSrequest" data.

Subsearch 2 :
- Using filters "earliest, latest, ComputerName", I search DNS requests made around the user logon time (Logon time + 2 mins)
- fields "ComputerName, ProcessId" are passed to "Main search". These two fields exist in "Process" data

Main search :
- try to find processes based on "ComputerName" and "TProcessId"
- Time range selected in UI is used by this search and Subsearch_1.
Subsearch_2 uses "earliest" and "latest".

The complete request does not return any result, but I have results if I decompose the request.
The issue concerns probably the data / parameters process by "Main search"...but I can't find out more.

Labels (1)
0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!