Hi and thanks a lot for your help !
My goal :
Finding processes that made suspicious DNS requests around user Logon
It seems that nested sub searches could make the job so here is my request :
event_simpleName=Process
[search event_simpleName=DNSrequest
[ search ComputerName IN ("Computer*") event_simpleName=UserLogon NOT UserName IN ("SYSTEM","*$","LOCAL SERVICE","DWM-*", "SERVICE LOCAL")
| dedup ComputerName, UserName
| rename _time AS earliest
| eval latest=earliest+120
| fields earliest, latest, ComputerName ]
| where match(DomainName,"(?i)(^.*\.(surf|cam|date|eu)$)")
| where NOT match(DomainName,".*(amaz)") | rename CProcessId as TProcessId | fields ComputerName, TProcessId ]
What I try to do / what I understand :
Subsearch_1 :
- try to find user logon and use dedup to reduce the number of events.
- using "fields", I pass to "Subsearch_2", three "parameters" : earliest, latest, ComputerName. Field "ComputerName" exists in "DNSrequest" data.
Subsearch 2 :
- Using filters "earliest, latest, ComputerName", I search DNS requests made around the user logon time (Logon time + 2 mins)
- fields "ComputerName, ProcessId" are passed to "Main search". These two fields exist in "Process" data
Main search :
- try to find processes based on "ComputerName" and "TProcessId"
- Time range selected in UI is used by this search and Subsearch_1.
Subsearch_2 uses "earliest" and "latest".
The complete request does not return any result, but I have results if I decompose the request.
The issue concerns probably the data / parameters process by "Main search"...but I can't find out more.