topic Re: Incomplete UserID in Splunk Search

Incomplete UserID

sgabriel1962 — Tue, 21 Nov 2023 14:43:05 GMT

How to I eliminate partial user id characters coming out of a search query? Here are examples of incomplete userIDs - whereupon they shouldnt appear at all: The middle GSA line is the correct example userID- the rest is garbage and I want to eliminate that

01022703
021216
07602381
"1206931120@GSA.GOV"
177
177670
1969412
232789

Re: Incomplete UserID

ITWhisperer — Tue, 21 Nov 2023 15:20:07 GMT

What pattern represents the valid user ids?

(?<userid>[^\"]+@[^\"]+)

https://regex101.com/r/sn0WLe/1

Re: Incomplete UserID

sgabriel1962 — Tue, 21 Nov 2023 15:33:03 GMT

where do I find this as Im using defaults coming out of the Windows TA

Re: Incomplete UserID

ITWhisperer — Tue, 21 Nov 2023 15:35:46 GMT

Perhaps you should tell us a bit more about what you are trying to do - since you posted this in the Splunk Search section, I presume this is part of a search, perhaps for a dashboard or a report? If so, what do you have so far?

Re: Incomplete UserID

richgalloway — Tue, 21 Nov 2023 15:54:40 GMT

How are you obtaining the user IDs in the first place? Is the field not extracted properly? Is the search not looking for the right thing? How can Splunk distinguish a valid ID from an invalid one?

Re: Incomplete UserID

sgabriel1962 — Tue, 21 Nov 2023 17:11:43 GMT

We are configuring for Brute Force login attempts, failures obviously. Here is the search string we have put together as we are working from TAs coming from Splunkbase.

index=* action=fail* OR action=block* (source=win*security OR sourcetype=linux_secure OR tag=authentication) user=* user!="" user!="*@domanname" user!="USX*" user!="sec-gsa-scan" user!="host/WS Authentication" user!=USERNAME | bucket _time span=1d | stats count by user src _time | stats sum(count) as count by user | sort – count

The list is coming back with all sorts of combinations as listed already, Im attempting to exclude IDs such as USERNAME or host/* as they dont make any sense. I cant post much publicly but you get the idea

Re: Incomplete UserID

ITWhisperer — Tue, 21 Nov 2023 17:41:17 GMT

Try something like this (assuming this pattern matches your valid user ids!)

index=* action=fail* OR action=block* (source=win*security OR sourcetype=linux_secure OR tag=authentication) user=* user!="" user!="*@domanname" user!="USX*" user!="sec-gsa-scan" user!="host/WS Authentication" user!=USERNAME | regex user="[^\"]+@[^\"]+" | bucket _time span=1d | stats count by user src _time | stats sum(count) as count by user | sort – count

Re: Incomplete UserID

sgabriel1962 — Tue, 21 Nov 2023 17:48:21 GMT

I can work from this - this is great thanks = but how can I now only record login attempts > 4 and ignore all others

Re: Incomplete UserID

ITWhisperer — Tue, 21 Nov 2023 17:51:39 GMT

For daily count > 4 per user, do this

index=* action=fail* OR action=block* (source=win*security OR sourcetype=linux_secure OR tag=authentication) user=* user!="" user!="*@domanname" user!="USX*" user!="sec-gsa-scan" user!="host/WS Authentication" user!=USERNAME | regex user="[^\"]+@[^\"]+" | bucket _time span=1d | stats count by user src _time | where count > 4 | stats sum(count) as count by user | sort – count