Splunk Enterprise Security

How to search to see if a value in the description field is greater than a certain number?

rtsquared
Explorer

We have connected Duo Security with Splunk in order to track certain aspects of our security performance. To make things simple, when logging in to Duo, we can create a Bypass Code for a user in case they don't have another way of logging in for the moment. This Bypass Code is just a 9 digit number that the user will enter in order to be able to log in.

When creating the Bypass Code, I have the option to choose how long until the Bypass Code expires.

My question for you is how can I create a search to see if a Bypass Code was created with it being valid for a certain amount of time until it expires.

I want to search for Bypass Codes created with a validity period greater than 4 hours.

I am attaching a screenshot to show you what exactly I want to search for. In description, you will see "valid_secs" : 15000.

So how would I write the search so I can look for a Bypass Code being created with "valid_secs" being over a certain number (in this case over 14,400)?

0 Karma
1 Solution

rtsquared
Explorer

I just wanted to let everyone know how I figured this out.

The trick to getting this to work was using the FIELD EXTRACTOR and entering in my own custom REGULAR EXPRESSION.

JSON format can be tricky, it omits certain special characters. So I needed to view the event as raw text in order to see the extra backslashes that need to be accounted for.

The Regular Expression that I typed into the Field Extractor is below:

\\\"valid_secs\\\":\s(?\d+)

This Regular Expression was able to successfully extract the integer value that came after the words valid_secs and store it into its own field which I named valid_secs.

Once this new field was extracted, I was able to type in the below search to get all events in which the field valid_secs was greater than the value 14400:

index=duo | search valid_secs>14400

I saved that search as an alert and I now get an alert every time that event is triggered.

Thank you to anyone who took the time to help and I hope this helps.

View solution in original post

0 Karma

rtsquared
Explorer

I just wanted to let everyone know how I figured this out.

The trick to getting this to work was using the FIELD EXTRACTOR and entering in my own custom REGULAR EXPRESSION.

JSON format can be tricky, it omits certain special characters. So I needed to view the event as raw text in order to see the extra backslashes that need to be accounted for.

The Regular Expression that I typed into the Field Extractor is below:

\\\"valid_secs\\\":\s(?\d+)

This Regular Expression was able to successfully extract the integer value that came after the words valid_secs and store it into its own field which I named valid_secs.

Once this new field was extracted, I was able to type in the below search to get all events in which the field valid_secs was greater than the value 14400:

index=duo | search valid_secs>14400

I saved that search as an alert and I now get an alert every time that event is triggered.

Thank you to anyone who took the time to help and I hope this helps.

0 Karma

woodcock
Esteemed Legend

Like this:

index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo
| rex "description:[^}]+?\"valid_secs\":\s*(?<valid_secs>\d+)"
| where valid_secs >= "14400"
0 Karma

adonio
Ultra Champion

look for spath command to extract fields from JSON

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...