Best approach to remove false positives (email) fr...

Esky73 · ‎04-03-2019

i have a search looking for "error" OR "fail" OR "failed" OR "exception" in events

However we are picking up false positives where there is an email in a field such as:

Also the position of the email is in different places within the field.

How best to exclude ?

sample fields:

msg:     LogCorrelationId XXXXXXXXXX. Email mr.error@hotmail.com. Info: Authentication MyAccountRegistrationStarted

msg:     2019-04-01T00:48:48.828Z facebook|XXXXX::Rules::EagerLinking:: searching for other users with email: [ 'mr.error@hotmail.com', 'mr.error@hotmail.com' ]    

msg:     2019-04-01T00:48:42.535Z ::identify-user-otp:: IsOTP: [{"name":"Mr X","email":"mr.error@hotmail.com","given_name":

HiroshiSatoh · ‎04-03-2019

Since "NOT" will slow down the search, I think that it is good to extract and filter once.

(your search) "error" OR "fail" OR "failed" OR "exception" |search NOT ("*error@*.*" OR "error*@*.*")

Esky73 · ‎04-03-2019

Thanks Hiroshi - this looks ok for error - but trying to future-proof there may potentially be emails that also have the other keywords in also.

HiroshiSatoh · ‎04-03-2019

I think that the condition(contains ) should be a lookup file.

 |search NOT [|inputlookup your_lookup.csv|table contains |rename contains as query]

Esky73 · ‎04-08-2019

hi Hiroshi - are you suggesting we have a lookup with all emails in ? i don't think thats possible to get a list of all potentially tens of thousands of emails ?

Best approach to remove false positives (email) from search when it contains 'error'

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?