Splunk Search

Splunk search with multiple macros

SIEMStudent
Path Finder

Hi all,

I have a question about macros: suppose I must use, inside a search, multiple macros. Those macros can be related between them by simple logical condition like AND and OR; what is the right syntax to tell to search to use more than one macro? Is the append command or other?

UPDATE

Let me modify the post, after @ITWhisperer explaination.

The current desiderd behavior is to perform security check with rules that uses multiple macros. We don't know if it is the best way and/or absolutely required by customer, but at writing time is our guideline.

We have the following situation:

1. Two or more macros linked with AND operator. Consider the following macros:

`remote to local` = | eval (All_traffic.src) as src from datamodel="Network traffic"| eval (All_traffic.dest) as dest from datamodel="Network traffic" |where ( src!=10.0.0.0/8 AND src!=172.16.0.0/12 AND src!=192.168.0.0/16) AND ( dest=10.0.0.0/8 OR dest=172.16.0.0/12 OR dest=192.168.0.0/16) 

set to use Data Model instead of raw events and that evaluate if the connection is from internet to local network.

The other one is the following:

`successfull communication` = | eval(All_traffic.bytes_in/All_traffic.packets_in) as input_rate from datamodel="Network traffic" | eval(All_traffic.bytes_out/All_traffic.packets_out) as output_rate from datamodel="Network traffic" | where input_rate > 80 and output_rate > 80

which try to understand if the communication between source and dest works fine counting the bytes/packets rate.

What about if, in my  rules, I have to use them linked with AND and used as filter? I mean, the final rule structure is something like that:

<my search>....| where `remote to local` AND `successfull communication`


2. The Macros should be putted togheter with OR. This becaus the rule try multiple way to understand if something is happening or not.

Consider this macros:

`IRC Check with Firewalls`=|tstats count values(All_traffic.src) as source by source from datamodel=Network_Traffic|where  All_traffic.protocol = tcp AND All_traffic.action = allowed | search All_traffic.dest = NOT [| inputlookup WhiteListIP.csv | table dest] All_traffic.dest_port IN  [| inputlookup IRCPorts.csv | table dest_port]

 that try to check if a IRC server is in execution checking some network data, like firewall pass, tcp protocol, destination port present in IRCPorts.csv file and excluding some authorized server putted in WhitelistIP.csv.

Then, we must make a macros that try to find if an IRC client is in execution; currently we don't know how to realize this, so let me put here simply its name: 

`IRC Client Detected`

So, the final search whant use this 2 macros as filter and trigger if one of them is true; something like:

<some search>...| where `IRC Check with Firewalls` OR `IRC Client Detected`

 

3. Any combination between AND and OR. Using the above macros, something like:

<some search>...| where `remote to local` AND (`IRC Check with Firewalls` OR `IRC Client Detected`)

 

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

The macros don't look like they would expand to valid syntax to be used in a where clause as you described. Perhaps you should try constructing the search query without macros first to get the results you require, then work out which bits can be converted to macros.

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Macros are just a way of shortening the SPL code - you can use <ctrl><shift>E in the search box to expand the macros - the expanded macros have to still form valid SPL. This is a long way of saying, it depends on your macros and what they do!

0 Karma

SIEMStudent
Path Finder

You are right, my fault, I apologize.

The macro I have to create are used by Security Use Cases and so are used to determine if the rule must trigger or not. Normally, I have 2 possibility:

1. The macro can call, inside it, another macro

As example, suppose I have this 2 macros:

a. `communication request` which notify if a communication request has been done; if yes, it calls:
b. `communication successfull` that state if the communication has worked fine.

In this case, should I use a syntax like `communication request` append `communication successfull`?

2. The Macro does not call another macro inside it, but the rule need multiple one to decide if activate or not.

As example, suppose I have to detect if a IRC local Server is founded and for this I have 3 macros:

a.  `remote to local`, used to determine if the connection has remote src and local dest address
b. `firewall pass`, used to determine if on this connection I have a firewall pass
c. `application used`, which determine the application used to connect to IRC server

In this case, the 3 macros must be divided with pipe? Something like:
|`remote to local` |`firewall pass` |`application used`

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

It depends on what the macros expand to - you haven't provided this information so it is not possible to say how the macros should be used.

0 Karma

SIEMStudent
Path Finder

I understand. So let me update my starting post to better explain the scenario, with same sample macros.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

The macros don't look like they would expand to valid syntax to be used in a where clause as you described. Perhaps you should try constructing the search query without macros first to get the results you require, then work out which bits can be converted to macros.

SIEMStudent
Path Finder

Thanks, it is exactely what I was afraid of.

0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...