topic Re: Extracting Source Network Address from Windows Logs in Splunk Search

Extracting Source Network Address from Windows Logs

hiteshkh — Fri, 17 Sep 2021 16:05:27 GMT

Im working on extracting Source Network Address's from Splunk I've spent the past few hours defining my query and after a few days of researching and troubleshooting got it narrowed to the following.

The problem is the Source_Network_Address in windows event logs appears without spaces and the query is pulling data back that is not accurate for me. Im looking for Public IP's RDPing to a host not private IPs.

index=windows EventCode=4625 Source_Network_Address!="127.0.0.1" Source_Network_Address!="::1" | eventstats count as "EventCount" by EventCode | table EventCode EventCodeDescription EventCount Source_Network_Address ComputerName | sort EventCode | where EventCount>80

Yes I've tried excluding internal subnets however this is still not giving me expected output.

I need a way to extract Source Network Address without spaces.

https://community.splunk.com/t5/Splunk-Search/Need-to-pull-IP-from-Message-field/m-p/559816

I tried this however we are not extracting it via the IP Field.

When I go to extract the regex after searching by event count and index the field gets cut off in the regex editor that loads up. Not sure how to proceed here.

Re: Extracting Source Network Address from Windows Logs

hiteshkh — Fri, 17 Sep 2021 16:58:59 GMT

I was able to write regex to extract it.

Source Network Address:(?<ip>.\S+)

The Issues I had and remediations

1. The splunk Field Extractor window would cut off Microsoft windows event payloads by a half. So I could not select the field.

2. Splunk auto associates strings and ip's etc to a common field that can be utilized to be remapped across the environment so it can learn what these are. For example an IP Address is associated with <IP>

3. The Regex is not like normal regex that I'm used to for example (.?*)

4. The Source Network Address would pull back private IP's and public IP's Across the same event code. I extracted the private ones, then tried to find the IP field in the verbose mode search. Unfortunately, it wouldn't populate. So I re-ran the search and extracted the public IP field under the same field (Source Network Address) and then extracted it and named it Source Network Address -pub. This then populated my public ip's.

Re: Extracting Source Network Address from Windows Logs

hiteshkh — Fri, 17 Sep 2021 17:32:13 GMT

Finalized working query

index=windows EventCode=4625 ip!="private ip range to exclude" ip!="127.0.0.1" ip!="::1" ip!="-" ComputerName!="hostname you'd like to exclude that's noisy or you're aware of" | eventstats count as "EventCount" by EventCode | table EventCode EventCount ip ComputerName | sort EventCode | where EventCount>80

Re: Extracting Source Network Address from Windows Logs

hiteshkh — Mon, 20 Sep 2021 17:47:42 GMT

The previous Query was counting all events displayed. I modified this further and now I can get a failure count by ip.

index=windows EventCode=4625 ip!="private ip range to exclude" ip!="127.0.0.1" ip!="::1" ip!="-" | stats count as failures by ip, EventCode, ComputerName,| table EventCode ip failures ComputerName | sort failures | reverse

In addition you can easily add hostnames you wish to exclude with the line below by adding this before the | stats

ComputerName!="hostname you'd like to exclude that's noisy or you're aware of"