Joins#

Joining data is a powerful way to bring together multiple datasets, enrich data based off of summarizations of other data sets or parse a single dataset multiple times with a single output. While joins are flexible, keep in mind that every joined query will act as a full execution of a query.

Example 2 - Multiple Data Sets#

Let’s build off the data from the last example. Let’s see what happened after a user connected to the risky IP.

If we look at the proxy logs and compare them to the threat intel from our previous example it looks like we have one hit. The user is drevil and the internal ip is 192.168.5.25.

AV Lookup

Since that event shows that a file was downloaded let’s see if there is any activity in the AV tag from that IP. Since we can use compound searches we can keep moving them up the query.

AV Lookup

We can see from the results that drevil is showing up in a few places. Let’s expand our search to other datasources and match on IP or username.

Username Match

With this result it looks like the user could not get in with the drevil credentials. What if they tried more than one username?

IP Match

It looks like they use a password spray attack to find an account and performed some SQL table actions. Let’s find what they did.

Results

The attacker successfully logged in and performed a schema_update with the joenobody account.

Example 2 - Enriching data with Resource#

In this example we will create a scheduled search that will keep a threat intel resource up to date and create a query that uses that resource to look for matches between web proxy logs and threat intel.

Creating a Resource from Log Data#

Let’s start off with a query on the intel data to pull the latest lastSeen where the indicator has been seen in the last week by value.

LastestIntel

Now let’s save this to a resource. We will use the -save and -csv flags to save the results as a CSV resource.

alt text

Now we can create a scheduled search to keep the lookup up to date. We’ve used a naming pattern that identifies it is a Generator scheduled search and has a lookup resource as a result.

Scheduled Search

Now we need to set the permissions on the scheduled search and the resource it generates.

Resource Permissions

Utilizing the Generated Lookup#

Now we will query our proxy logs to see if there were any matches with the threat intel data. Using the -s flag with the lookup module allows only entries with a match through.

join