Hi, we have a Data Model based search that we filter based on a lookup (with match_type WILDCARD) that matches different fields
| tstats count, values(Processes.dest) as dest, dc(Processes.dest) as dest_dc, min(_time) as earliest, max(_time) as latest, values(Processes.user) as user, dc(Processes.user) as user_dc from datamodel=Endpoint.Processes by Processes.process_guid Processes.parent_process_guid Processes.parent_process Processes.parent_process_path Processes.process Processes.process_path Processes.process_hash Processes.user
| rex field=Processes.process_hash "MD5=(?<process_md5>[A-Z0-9]+)"
| `drop_dm_object_name(Processes)`
| lookup sysmon_rules parent_process parent_process_path process process_path process_md5 OUTPUT description score
This works well and saves uf from having multiple searches in place, but it would be great if there was something like a match_type REGEX for lookups. We could then combine several entries in the lookup to one single line. For example those 4 lines:
score,description,parent_process_path,parent_process,process_path,process,process_md5
80,Office: Execution MSHTA,C:\Program Files (x86)\Microsoft Office\root\Office*,*,*\mshta.exe,*,*
80,Office: Execution PWSH,C:\Program Files (x86)\Microsoft Office\root\Office*,*,*\powershell.exe,*,*
80,Office: Execution WSCRIPT,C:\Program Files (x86)\Microsoft Office\root\Office*,*,*\wscript.exe,*,*
80,Office: Execution CMD,C:\Program Files (x86)\Microsoft Office\root\Office*,*,*\cmd.exe,*,*
could be combined to:
score,description,parent_process_path,parent_process,process_path,process,process_md5
80,Office: Execution susp child,(?i)C:\Program Files (x86)\Microsoft Office\root\Office.*,.*,(cmd.exe|wscript.exe|powershell.exe|mshta.exe),.*,.*
We want to keep the possibility to match against multiple fields. Is there a trick (using inputlookup, map, ...) to optimize this?We're at a point where the lookup is getting cluttered because of small variations of processes in the endpoint data model we would like to alert on.
Hints, tips & help are appreciated.
Chris
... View more