Splunk Search
Highlighted

What to use to a search a hash and return all info of all users that have a hit?

Engager
  • New to Splunk but understand regex and have a strong background in sed/awk/curl/bash
  • I want to search a hash and return all the info for all the users that have a hit
  • ProcessRollup2 contains fields aid and SHA256HashData I need linked via aid but too large for limited subsearch over 10K as we have 30K+ endpoints
  • UserIdentityV2-v02 containes fieldsaid UserPrincipal I need linked via aid but too large for limited subsearch over 10K as we have 30K+ endpoints
  • if I use a simple subsearch the result is trimmed or if too many days go by I don't get any hits

Work in Progress.
This search 'works' but does not keep the SHA256HashData from the original search. I need the hash and other fields in ProcessRollup2 too!

  event_simpleName="ProcessRollup2" SHA256HashData=87ca1167cf2350e163f17688ea0c23e493c8f2e43492b9514818724f1a77c8f0 earliest=-10d@d latest=@m 
    | dedup aid
    | stats count by aid SHA256HashData  
     |map  search="search sourcetype="UserIdentityV2-v02"  aid=$aid$ earliest=-60d@d latest=@m "
     | dedup aid UserPrincipal SHA256HashData
     | table aid UserPrincipal SHA256HashData

This is what used to work sort of as long as it's around 1-4 days because of the max limits I can't change in the Crowdstrike server

sourcetype=UserLogonV8-v02 
    [|  search sourcetype=json_predefined_timestamp  SHA256String="3239a185c653b1f2385fbb9716172e116551fc68867e36ffdb96d5d7c8eaea5b" | table AgentIdString 
| dedup AgentIdString 
|  rename AgentIdString as aid] 
| table aid UserName UserPrincipal LocalAddressIP4

| dedup UserPrincipal
| sort by aid


| join type=outer aid 
    [|  search sourcetype=json_predefined_timestamp  SHA256String="3239a185c653b1f2385fbb9716172e116551fc68867e36ffdb96d5d7c8eaea5b" | table AgentIdString DetectDescription
    | rename AgentIdString as aid]
    | table aid DetectDescription UserName UserPrincipal LocalAddressIP4
    | lookup aid_master aid OUTPUT City Country ComputerName MachineDomain 

    |  table aid DetectDescription ComputerName LocalAddressIP4 MachineDomain UserName UserPrincipal FULLNAME City Country
0 Karma
Highlighted

Re: What to use to a search a hash and return all info of all users that have a hit?

Splunk Employee
Splunk Employee

In general, when you are looking at the same timerange, I always recommend trying to do a single search, instead of map or sub search.

Does this help, or do you still need to split by SHA256HashData and aid ?

   earliest=-10d@d latest=@m  ( event_simpleName="ProcessRollup2" SHA256HashData=87ca1167cf2350e163f17688ea0c23e493c8f2e43492b9514818724f1a77c8f0 ) OR (sourcetype="UserIdentityV2-v02" ) 
     | stats count values(UserPrincipal) values(SHA256HashData)  by aid 
0 Karma
Highlighted

Re: What to use to a search a hash and return all info of all users that have a hit?

Engager

 

 

Found my own post 😛 use the following query to bind UserName to email like so ...


| join UserName
[search event_simpleName IN ("UserLogon*", "Login*") UserPrincipal!="svcSCOM.SvcNow@newellco.com" UserPrincipal=*.*@*.com UserPrincipal!=*.$*.com UserName!=svcSCCM.ClientPush UserName!=SYSTEM earliest=-2d@d]

 

Reference :  https://github.com/freeload101/SCRIPTS/tree/master/CrowdStrike%20Threat%20Hunting

0 Karma