Splunk Enterprise Security

How to create an alias for a CIM field in Splunk ES?

jwalzerpitt
Motivator

I am extracting the src and user values from failed login attempts in Shibboleth logs and the value is "failed" so I can set an event type for failed Shib login attempts.

When I check the CIM documentation for fields for Authentication event datasets, I see the value ES expects is "failure".

How do I create an alias for the field action so that "failed" is set to "failure" so ES can then leverage it?

Thx

0 Karma

woodcock
Esteemed Legend

Probably the string failed is in your logs and it is a simple field extraction. If that's the case, then you need to create a calculated field that does:

eval action=if(action=="failed", "failure", action)
0 Karma

lkutch_splunk
Splunk Employee
Splunk Employee
0 Karma

jwalzerpitt
Motivator

Thx for the reply and link to the doc.

It's not so much the field needs an alias, but the value "failed" needs to be set as "failure". I thought that's where the SEDCMD would come into play.

0 Karma

jwalzerpitt
Motivator

Actually digging through Splunk Answers saw a way to use sedcmd and was wondering if this would be a way to handle the issue:

index=foo sourcetype="shibboleth:process" "Login by*" failed
| rex mode=sed field=_raw "s/failed/failure/g" 
| rex field=_raw "-\s\[(?P<src>(?:[0-9]{1,3}\.){3}[0-9]{1,3}).*:\sLogin\sby\s'(?P<user>.*)'\s(?P<action>failure)"

Running this extracts all three fields with correct values. If this looks good, could I then create an event type with this search for failed Shib login attempts?

Thx

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!