topic Re: _audit search for regex's in Splunk Search

_audit search for regex's

reneedeleon — Tue, 23 Apr 2019 13:47:46 GMT

Is it possible to build a search looking for regex variances? i.e. SSN regex, CC regex

Re: _audit search for regex's

richgalloway — Tue, 23 Apr 2019 16:48:35 GMT

Please explain your use case. What is a "regex variance"?

Re: _audit search for regex's

ryhluc01 — Tue, 23 Apr 2019 17:47:31 GMT

What are you asking? What should your query or data should look like.
Are you trying to locate those patterns (regex or rex)? Replace things (rex)? What do you mean when you say regex variance? Are you trying to test your pattern to see if it will work on your data?

Just in case:
SSN regex:

\d{3}-\d{2}-\d{4}

Testing sites I use:
https://regex101.com/
https://regexr.com/3f4vo (Engine needs to be changed to PCRE)

I need more information before I can help you with your query.

Re: _audit search for regex's

reneedeleon — Wed, 24 Apr 2019 14:32:23 GMT

I am looking for both regex and rex. I have the same SSN regex. (I am not really good with generating rex or regex) We want to monitor our _audit index for searches containing SSN, specific IP addresses and Credit Card rex and/or regex's. As far as variances I was meaning rex and regex.

Re: _audit search for regex's

richgalloway — Thu, 25 Apr 2019 12:48:35 GMT

So you want to know whenever one of your users searches for a SSN, IP address, or credit card number, is that it? If so, you have quite a challenge on your hands. There are a great many ways to construct regular expressions for each of those and a regular expression to detect those regular expressions is beyond anything I'd like to try.
Of course, if your data doesn't contain any SSNs or CC numbers (and it really should not) then it doesn't matter if anyone searches for them.
Perhaps if you described the problem you're trying to solve we can offer another solution.

Re: _audit search for regex's

reneedeleon — Fri, 26 Apr 2019 14:58:30 GMT

That is exactly as you stated. We are sure our data does not contain CC and SSN but you never know. But I do know we have IP addresses in our data. Since this is a completely new realm to me I am trying to gather as much information as possible to attempt a query searching for regex's such as SSN, CC and IP addresses, but of course it would help if I can explain my questions better as well.

Re: _audit search for regex's

woodcock — Sun, 28 Apr 2019 19:27:43 GMT

Try this:

index=_audit sourcetype=audittrail action=search
| regex search="(?<!\d)(\d{3}[\s\-]\d{2}[\s\-]\d{4})|(\d{4}[\s\-]\d{4}[\s\-]\d{4}[\s\-]\d{4})(?!\d)"