Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What to use to a search a hash and return all info of all users that have a hit?

freeload101
Explorer
‎11-26-2019 09:57 AM
  • New to Splunk but understand regex and have a strong background in sed/awk/curl/bash
  • I want to search a hash and return all the info for all the users that have a hit
  • ProcessRollup2 contains fields aid and SHA256HashData I need linked via aid but too large for limited subsearch over 10K as we have 30K+ endpoints
  • UserIdentityV2-v02 containes fieldsaid UserPrincipal I need linked via aid but too large for limited subsearch over 10K as we have 30K+ endpoints
  • if I use a simple subsearch the result is trimmed or if too many days go by I don't get any hits

Work in Progress.
This search 'works' but does not keep the SHA256HashData from the original search. I need the hash and other fields in ProcessRollup2 too!

  event_simpleName="ProcessRollup2" SHA256HashData=87ca1167cf2350e163f17688ea0c23e493c8f2e43492b9514818724f1a77c8f0 earliest=-10d@d latest=@m 
    | dedup aid
    | stats count by aid SHA256HashData  
     |map  search="search sourcetype="UserIdentityV2-v02"  aid=$aid$ earliest=-60d@d latest=@m "
     | dedup aid UserPrincipal SHA256HashData
     | table aid UserPrincipal SHA256HashData

This is what used to work sort of as long as it's around 1-4 days because of the max limits I can't change in the Crowdstrike server

sourcetype=UserLogonV8-v02 
    [|  search sourcetype=json_predefined_timestamp  SHA256String="3239a185c653b1f2385fbb9716172e116551fc68867e36ffdb96d5d7c8eaea5b" | table AgentIdString 
| dedup AgentIdString 
|  rename AgentIdString as aid] 
| table aid UserName UserPrincipal LocalAddressIP4

| dedup UserPrincipal
| sort by aid


| join type=outer aid 
    [|  search sourcetype=json_predefined_timestamp  SHA256String="3239a185c653b1f2385fbb9716172e116551fc68867e36ffdb96d5d7c8eaea5b" | table AgentIdString DetectDescription
    | rename AgentIdString as aid]
    | table aid DetectDescription UserName UserPrincipal LocalAddressIP4
    | lookup aid_master aid OUTPUT City Country ComputerName MachineDomain 

    |  table aid DetectDescription ComputerName LocalAddressIP4 MachineDomain UserName UserPrincipal FULLNAME City Country
0 Karma
Reply

freeload101
Explorer
‎06-17-2020 01:30 PM

 

 

Found my own post 😛 use the following query to bind UserName to email like so ...


| join UserName
[search event_simpleName IN ("UserLogon*", "Login*") UserPrincipal!="svcSCOM.SvcNow@newellco.com" UserPrincipal=*.*@*.com UserPrincipal!=*.$*.com UserName!=svcSCCM.ClientPush UserName!=SYSTEM earliest=-2d@d]

 

Reference :  https://github.com/freeload101/SCRIPTS/tree/master/CrowdStrike%20Threat%20Hunting

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎11-26-2019 02:09 PM

In general, when you are looking at the same timerange, I always recommend trying to do a single search, instead of map or sub search.

Does this help, or do you still need to split by SHA256HashData and aid ?

   earliest=-10d@d latest=@m  ( event_simpleName="ProcessRollup2" SHA256HashData=87ca1167cf2350e163f17688ea0c23e493c8f2e43492b9514818724f1a77c8f0 ) OR (sourcetype="UserIdentityV2-v02" ) 
     | stats count values(UserPrincipal) values(SHA256HashData)  by aid
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...

.conf23 Registration is Now Open!

Time to toss the .conf-etti 🎉 —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...