AWS Failed logins and coalesce command

samadmemon · ‎04-15-2019

Hi All,

On tracking the failed logins for AWS console through Cloudtrail logs, errorCode for specific set of logs is not captured correctly.

CORRECT PARSING :

awsRegion: us-east-1

errorMessage: Failed authentication

eventID:

eventName: ConsoleLogin

eventSource: signin.amazonaws.com

eventTime:

eventType: AwsConsoleSignIn

eventVersion:

In the above log errorCode field is 'failure' which is true.

INCORRECT PARSING :

However, for the below log errorCode field is 'success'. Correct output should be errorCode=failure since it is a failed login whose user name is unknown.

awsRegion: us-east-1

errorMessage: No username found in supplied account

eventID:

eventName: CheckMfa

eventSource: signin.amazonaws.com

eventTime:

eventType: AwsConsoleSignIn

eventVersion: 1.05

PROPS.CONF :

Below is the entry for errorCode in props.conf

EVAL-errorCode = coalesce('errorCode',if(like('responseElements.ConsoleLogin',"Failure"),"failure", "success"),"success").

QUESTION :

Please suggest the way how we can achieve the following :

if errorMessage=No username found in supplied account OR errorMessage=Failed authentication then errorCode should be 'failure' else it should be a success.

what should be the entry in props.conf for EVAL-errorCode so that it can be overwritten in local folder.

rmmiller · ‎11-19-2019

coalesce is for dealing with null values when you have to deal with them. Also, like is for SQL-like comparisons, which you aren't really doing here.

CloudTrail inputs can be a little tricky. Are you sure they are being ingested correctly?

vcarbona · ‎11-14-2019

I'm thinking this field should not be overwritten rather a new field should be created indicating the status whether it is success or failure. Not sure if doing so will break anything else.

AWS Failed logins and coalesce command

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes