Hi
This is my API AWS query:
"search index=aws userIdentity.type=Root eventName=ConsoleLogin earliest=-10d | rex field=_raw MFAUsed\D\D\s\D(?P<Mfa>\D?\S) | rex field=_raw principalId\D:\s\D(?P<principalId>\d*)" | stats count by principalId"
its working and im getting results.
Now I need your help with add the field that I parse (Mfa)
and to add Mfa="No" to the query
but its not showing resutls.
I tried to do something like that:
"search index="aws" (userIdentity.type="Root" eventName="ConsoleLogin" Mfa="No*" earliest=-10d | rex field=_raw MFAUsed\D\D\s\D(?P<Mfa>\D?\S) | rex field=_raw principalId\D:\s\D(?P<principalId>\d*)"
What Im missing?
Thanks!
Mfa hasn't been extracted until after the rex (that extracts it), so try something like:
"search index="aws" (userIdentity.type="Root" eventName="ConsoleLogin" earliest=-10d | rex field=_raw MFAUsed\D\D\s\D(?P<Mfa>\D?\S) | where Mfa="No*" | rex field=_raw principalId\D:\s\D(?P<principalId>\d*)"
"search index="aws" userIdentity.type="Root" eventName="ConsoleLogin" earliest=-10d | rex field=_raw MFAUsed\D\D\s\D(?P<Mfa>\D?\S) | where Mfa="No*" | rex field=_raw principalId\D:\s\D(?P<principalId>\d*) | stats count by principalId"
Got this error:
"messages": [
{
"type": "FATAL",
"text": "Error in 'where' command: The expression is malformed. The factor is missing."
You possibly need to add in escaping of the double-quotes(?)
"search index=\"aws\" userIdentity.type=\"Root\" eventName=\"ConsoleLogin\" earliest=-10d | rex field=_raw MFAUsed\D\D\s\D(?P<Mfa>\D?\S) | where Mfa=\"No*\" | rex field=_raw principalId\D:\s\D(?P<principalId>\d*) | stats count by principalId"