Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you separate computer login attempts from real user login attempts?

mpasha
Path Finder
‎11-16-2018 02:28 PM

Good day,

I am trying to monitor our User Account logon activity through Splunk. As you might know, Active directory creates a huge amount of account logon events when a computer tries to access the network and does account activities as well. The only difference is that the Computer accounts have a "$" at the end of their names. this behavior will cause a lot of confusion for the teams when they are monitoring the environments for "Real" user activities.

I was thinking to create a field at indexing time "using an index time transform" to tag accounts with a $ in their names.
Here is the relevant part of the config in transforms.conf, props.conf and Fields.conf
Transforms.conf:

[AD_Computer]
REGEX = (?ms)\s+((Logon Account|Account Name):\s+\w+(\$)) \\this Regex will search for $ in the Account Name or Logon Account 
FORMAT = AD_Server::1
WRITE_META = True

Props.conf:

TRANSFORMS-ISComputer= AD_Computer

and the Fields.conf

[AD_Server]
INDEXED = true

here are the problems now:
1- The new tag "AD_Server"can not be found in the list of fields, but if I type "AD_Server=1" in the search bar, then i see some results.
2- the main purpose of this new field/tag was to be able to exclude the computer accounts from the search. However, when i add:
"AD_Server!=1" no results are returned!!

is there a way to say, if the Regex does not match a $, then the value for AD_Server is zero?

I was wondering if you have a better method to filter out these computer accounts or make the method i explained work properly.

Thanks for your help.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

acharlieh
Influencer
‎11-16-2018 08:53 PM

@richgalloway's very valid point aside... You should know that there are two ways of searching for a field not equal to a particular value in Splunk, and their semantics are slightly different:

AD_Server!=1 -> Means find all events that have a field named AD_Server with a value that is not equal to 1

whereas

NOT AD_Server=1 -> Means find all events that do not have a field named AD_Server with value equal to 1

It's very slight, but only the second form will find those events where the field AD_Server is not defined... the first form it will only return events that have a field named AD_Server. (which since you're only creating the field when you're assigning 1 to it, you want the second form)

You could indeed setup a second transform that would match only if the username does not contain a $... which likely would be a rather expensive regex, possibly involving backreferences... and you would have to run both the AD_Computer and the NOT AD_Computer regexes... Or you would just need to change your filter a bit, which might be the easier option.

View solution in original post

Reply
Solved! Jump to solution
Solution

acharlieh
Influencer
‎11-16-2018 08:53 PM

@richgalloway's very valid point aside... You should know that there are two ways of searching for a field not equal to a particular value in Splunk, and their semantics are slightly different:

AD_Server!=1 -> Means find all events that have a field named AD_Server with a value that is not equal to 1

whereas

NOT AD_Server=1 -> Means find all events that do not have a field named AD_Server with value equal to 1

It's very slight, but only the second form will find those events where the field AD_Server is not defined... the first form it will only return events that have a field named AD_Server. (which since you're only creating the field when you're assigning 1 to it, you want the second form)

You could indeed setup a second transform that would match only if the username does not contain a $... which likely would be a rather expensive regex, possibly involving backreferences... and you would have to run both the AD_Computer and the NOT AD_Computer regexes... Or you would just need to change your filter a bit, which might be the easier option.

Reply
Solved! Jump to solution

mpasha
Path Finder
‎11-19-2018 08:48 AM

Thanks!! that works perfectly!!

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-16-2018 04:24 PM

What's wrong with filtering names at search time? index=wineventlog sourcetype=WinEventLog:Security NOT Account_Name="*$" | ...

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...