AWS Failed logins and coalesce command

samadmemon · ‎04-15-2019

Hi All,

On tracking the failed logins for AWS console through Cloudtrail logs, errorCode for specific set of logs is not captured correctly.

CORRECT PARSING :

awsRegion: us-east-1

errorMessage: Failed authentication

eventID:

eventName: ConsoleLogin

eventSource: signin.amazonaws.com

eventTime:

eventType: AwsConsoleSignIn

eventVersion:

In the above log errorCode field is 'failure' which is true.

INCORRECT PARSING :

However, for the below log errorCode field is 'success'. Correct output should be errorCode=failure since it is a failed login whose user name is unknown.

awsRegion: us-east-1

errorMessage: No username found in supplied account

eventID:

eventName: CheckMfa

eventSource: signin.amazonaws.com

eventTime:

eventType: AwsConsoleSignIn

eventVersion: 1.05

PROPS.CONF :

Below is the entry for errorCode in props.conf

EVAL-errorCode = coalesce('errorCode',if(like('responseElements.ConsoleLogin',"Failure"),"failure", "success"),"success").

QUESTION :

Please suggest the way how we can achieve the following :

if errorMessage=No username found in supplied account OR errorMessage=Failed authentication then errorCode should be 'failure' else it should be a success.

what should be the entry in props.conf for EVAL-errorCode so that it can be overwritten in local folder.

rmmiller · ‎11-19-2019

coalesce is for dealing with null values when you have to deal with them. Also, like is for SQL-like comparisons, which you aren't really doing here.

CloudTrail inputs can be a little tricky. Are you sure they are being ingested correctly?

vcarbona · ‎11-14-2019

I'm thinking this field should not be overwritten rather a new field should be created indicating the status whether it is success or failure. Not sure if doing so will break anything else.

AWS Failed logins and coalesce command

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!