Searching across multiple log sets

btyler · April 19, 2024, 7:54pm

Is there any way to use the results of a search on one log set to search another other than copying the data into a new search?

I’m trying to monitor traffic for a set of devices. They’re all made by the same manufacturer so easiest way for me to find all of them is by the vendor OUI. Is there an easy way to take the results of the Host To IP Observations search and use them in a Network Flow search? As far as I can tell there’s no nested search functionality and I’ve tried linking the two log sets using the == operator (i.e. ip==source_address) but that just comes back with no results.

david_smith · April 22, 2024, 6:27pm

@btyler unfortunately what you are chasing after isn’t a current feature of log search or leql, and using the comparison operator only applies within the same log event, such as source_address==source_asset_address or something. Where the single log would contain both keys.

The only thing I could think of today would be to programmatically search fetch and re-query based on the result using our log search query API https://docs.rapid7.com/insightidr/log-search-api/#operation/postQueryLogs

This would enable you to manipulate the output and use it as input albeit a bit of legwork to get there.

Other than that, you could leverage variables if these lists are somewhat static, to save retyping every time. Use Variables in Queries | InsightIDR Documentation

sean_obrien · April 23, 2024, 9:03am

Yes, this would likely require two distinct queries. 1 to fetch the ip values, and the second to search that list of ip against the network flow logs.

for the first query, the recently added select operator would save some of the legwork parsing out the values. eg select(ip) where ()

alex_sanders · April 24, 2024, 11:41am

Actually trying to do the same thing but for Sysmon Event ID 3 and Process.Start events. Hopefully soon R7 IDR will have this built out.

sean_obrien · April 25, 2024, 9:50am

thanks for sharing the use case Alex.

to confirm my understanding - would it be to filter process start events by hosts that have a specific event code? rethinking my comment about select, a groupby might be best here to rule out duplicates.

Something like where(“event_id” = “3” ) groupby(“r7_context.asset.rrn”) limit(100)

then searching that list of asset rnns within the process starts?

where(“r7_context.asset.rrn” IN [asset_list_for_event_code_3]) ?

alex_sanders · April 25, 2024, 12:06pm

Hmm - That is something you can do? Is there an article you can point me to?

Didn’t realize you could run a second query based on those results

For the time being I was simply using a dashboard, but I hope R7 will develop a feature to allow cross log bucket search. Seems other SIEMS have the capability

sean_obrien · April 25, 2024, 1:08pm

Sorry for confusion - i was describing a two step process that involves some work on caller to parse the results from first query (likely to add into a variable), then execute the second query.

alex_sanders · April 25, 2024, 1:42pm

Gotcha.
To give full context…
I’m trying to get a better picture of what is executing rundll32 that is reaching out to the internet.
Which requires process.start events plus Sysmon event 3. Running two queries and comparing PIDs/R7 RNN between the two buckets manually

Based off https://www.elastic.co/guide/en/security/current/unusual-network-connection-via-rundll32.html