discrepancy in search result based on data table

Rached1996

Hello,

we are performing a search based on data table, we are not getting any results

the query:

metadata.log_type = "S1_ALERT"

principal.ip in cidr %data_table_xx.cidr

while performing the same logic in a test rule we get the results that we need

the rule logic:

events:

$e.metadata.log_type = "S1_ALERT"

$e.principal.ip in cidr %data_table_xx.cidr

outcome:

$related_hostnames = array_distinct($e.principal.hostname)

$related_threatname = array_distinct($e.security_result.threat_name)

$related_username = array_distinct($e.principal.user.userid)

condition:

$e

can you please tell if there is something missing in my query or there is an issue with data tables in searches?

cmorris

Are you getting any sort of error or just no results? Is case sensitivity on when running the search?

Rached1996

No, I'm not getting any errors (case sensitivity is on)

ScottieJ

The documentation referenced here, shows examples only for Detection Rules. Although the top of the section states that "You can use data tables in conjunction with YARA-L queries in both Search and rules.", I'm finding this not the case. Additionally the function "net.ip_in_range_cidr" is not an option in Search. I am getting errors using the following examples.

events:
//$e.metadata.log_type = "winevtlog" nocase
//$e.principal.ip = /10.128.0.*/ 
//$e.principal.ip in cidr %Bad_CIDR_Blocks.CIDR

metadata.log_type = "winevtlog" nocase
//principal.ip = /10.128.0.*/   //testing a range I know is in the data set, this is my control value
principal.ip in cidr %Bad_CIDR_Blocks.CIDR

Example Error

My suggestion is to submit a case to Support, requesting clarification of the capabilities of Yara-L in Search vs Detection Rules. I'd also note in the case, that the examples for Search in the mentioned document page utilizes variables "$e.xyz.123" and as far as I can tell this format only works in Detection Rules. In search you do not use the "$e" variable.

jstoner

@Rached1996 I don't have any S1 data to perform a 1:1 comparison test on. I can confirm that data tables should work in search, the example below with two column matches in the same data table. The commented out lines are used for row matching.

The case sensitivity does need to be set to On when doing the cidr (and I presume regex) data table search, but as you can see here I do get results with that. The keyword cidr is optional if the data table column has been declared cidr in the data table.

Is there anything more in the search beyond the ip and logtype? Is the data table using a declared datatype of cidr or is it set to string? Does our time window have events in it that match the criteria in the query and the list? Just trying to narrow down stuff. Since you aren't getting an error, this feels more like the data isn't there which I realize sounds weird in that you have rules output...

Rached1996

hello thanks for your reply , im still getting 0 results in searches
can you please provide me an exemple of your data in your datatable ?
How is written into the datatable
Thanks

jstoner

ip_block,description
10.1.0.0/24,Subsidiary Netblock
10.128.0.0/24,Corporate Netblock