Discover non-standard hosts using checkif directive
_checkif is a query directive in DNIF Query Language (DQL) used to apply conditional logic to a result set. This directive works like any other function in a programming language. Using this directive, you can compare strings, integers, dates and times. You can also use it to compare fields in a result set with a user-created store.
For this example, we’ll use the str_compare function in the _checkif directive. This function compares string values in order to refine a result set. The parameters in str_compare include:
Suppose an organization has a certain naming convention for all their hosts. The query below retrieves data from the past 24 hours and lists all the unique hostnames running Windows.
_fetch * from event where $LogName=WINDOWS-NXLOG-AUDIT AND $Duration=24h group count_unique $SystemName limit 100
We can specify the standard naming convention for these hostnames using regular expressions, which the _checkif directive in DNIF supports. The expression we’ll use for this example is
This expression will fetch results and exclude all hostnames that begin with DESKTOP- followed by any string. We can replace this with any other standard regular expression. To apply this in a query, we can use the
_checkif str_compare function as shown below:
_fetch * from event where $LogName=WINDOWS-NXLOG-AUDIT AND $Duration=60d group count_unique $SystemName limit 100 >>_checkif str_compare $SystemName regex 'DESKTOP\-[A-Za-z]\w+' exclude
The first query fetches data from the past 60 days and lists all of the unique system names within the duration specified. The query that follows uses the _checkif directive with the str_compare function to check if the unique system names match the regular expression in the query. Those that do not match the pattern are then listed and can be classified as nonstandard hosts. This use case can also be adapted to detect non-standard users, which may have been created with malicious intent by insiders.