Home:ALL Converter>Questions related to splunk builtin macros in correlation search

Questions related to splunk builtin macros in correlation search

Ask Time:2021-09-22T05:29:01         Author:voidMainReturn

Json Formatter

I am not sure if this is the appropriate forum to ask this question, but really need help and I am stuck. So here goes : I am exploring splunk enterprise security and was specifically looking into analytic stories and correlation searches. For example : Analytic story : Trickbot
Correlation search : Attempt to stop security service

| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = net.exe OR  Processes.process_name = sc.exe) Processes.process="* stop *" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|lookup security_services_lookup service as process OUTPUTNEW category, description 
| search category=security 
| `attempt_to_stop_security_service_filter`

I am trying to understand what exactly this code is doing, but stuck at these macros like security_content_summariesonly, drop_dm_object_name, security_content_ctime, attempt_to_stop_security_service_filter. I can't find definitions for these macros anywhere. I have tried to look into -> settings -> advance search -> macros, but these are not listed there.
Can somebody help ?

Author:voidMainReturn,eproduced under the CC 4.0 BY-SA copyright license with a link to the original source and this disclaimer.
Link to original article:https://stackoverflow.com/questions/69275756/questions-related-to-splunk-builtin-macros-in-correlation-search
warren :

If you have access to the host(s) Splunk's running on, you can find the definitions in $SPLUNK_HOME$/etc/*/macros.conf\nIf you don't have that access, then it's possible you don't have permissions to see the definitions of those macros\nHowever, you can always use the Job Inspector to see how Splunk translates what you type into what it runs",