Hi @bangalorep. This is the macro query I did. A AND B will be a result from other conditions, but it always be a boolean value, in my case I use 0 AND 1 but it can be TRUE OR FALSE. This is the complete query I used.
inputlookup cve-vul-alienvault-lookup-usa
| eval CurrentCycle="20180201"
| eval cycle_detection_time=strptime(CurrentCycle,"%Y%m%d")
| eval Cycle1monthago = strftime(relative_time(cycle_detection_time,"@month-1month"),"%Y%m%d")
| where cycle_detection = CurrentCycle OR cycle_detection=Cycle1monthago
| eval A = if(Auth = "AuthOK" AND cycle_detection=Cycle1monthago,1,0)
| eval B = if((Auth = "AuthOK" OR Auth="NULL") AND cycle_detection=CurrentCycle,1,0)
| eventstats sum(A) as A , sum(B) as B, count by id,dest_ip
| eval F = if(A=1 AND B=0,1,0)
| where F=0
| eval IsResolved = case ((count = 2 AND cycle_detection=CurrentCycle),"Not Resolved",(count=1 AND cycle_detection=Cycle1monthago),"Resolved", count=1 AND cycle_detection=CurrentCycle,"New Vulnerability")
| fields id,dest_ip,cycle_detection,os,signature,type,cvss,cve,Resultados,IsResolved
The problem is now solved with they query I have because I only have 4 combinations of values between A AND B.
A = 0 AND B = 0
A = 0 AND B = 1
A = 1 AND B = 0
A = 1 AND B = 1
I want the result of all combinations except when A = 1 AND B = 0 so I decided to call the result as F, F will be 1 if I want to ignore the result and 0 if I want to keep it so I will have something like this:
A = 0 AND B = 0 so F = 0
A = 0 AND B = 1 so F = 0
A = 1 AND B = 0 so F = 1
A = 1 AND B = 1 so F = 0
The mathematical functions which represents what I wanted is: F = (A AND BNEGATED) this is the same logic we use in electronic circuits. So if I receive these values in the results:
A = 1 AND B = 1
Then BNEGATED = 0 so F = (1 AND 0 ) then F = 0
if I received these values
A = 1 AND B = 0
Then BNEGATED = 1 so F = (1 AND 1) then F = 1
There are two ways (Maybe more but I don't know and I'll be able to receive any recommendation) I can solve this problem, the fist one is like the previous query:
| eval F = if(A=1 AND B=0,1,0)
| where F=0
That logic is OK because I only have two variables to compare and I only have 4 combinations available but I really want to use the boolean function like logic circuits in electronic components.
| eval NEGATEDB = if(B=0,1,0)
| eval F = A AND NEGATEDB
| where F=0
Why I want to work this way? Because in this case I only have 2 variables (A and B) and only 4 combinations but in the future I'm planning to have 4 variables (maybe more) and then I will have 16 combinations of values so I don't want to use a case, I think a function is the best way (I might be wrong). For example in the case with 3 variables I have this function:
F = B AND C AND ( A OR ANEGATED)
so when A = 1, B = 0, C= 1 I will have:
F = 0 AND 1 AND (1 OR 0) = 0 AND 1 AND 1 = 0 . This is going to be OK
if A = 1, B = 1, C =0 I will have:
F = 1 AND 1 AND (1 OR 0) = 1 AND 1 AND 1 = 1. Splunk will filter this value because I want results when F=0
In short words I want to work with Boolean values like arithmetic values:
eval V = X/t
where V >= 100
At the moment I don't know how to or if it's possible.
I hope I did not confused anyone hehehe and I also did not focus in A and B values, the A and B values will always be 0 or 1. Those values come from other conditionals but will be 1 or 0.
... View more