We have connected Duo Security with Splunk in order to track certain aspects of our security performance. To make things simple, when logging in to Duo, we can create a Bypass Code for a user in case they don't have another way of logging in for the moment. This Bypass Code is just a 9 digit number that the user will enter in order to be able to log in.
When creating the Bypass Code, I have the option to choose how long until the Bypass Code expires.
My question for you is how can I create a search to see if a Bypass Code was created with it being valid for a certain amount of time until it expires.
I want to search for Bypass Codes created with a validity period greater than 4 hours.
I am attaching a screenshot to show you what exactly I want to search for. In description, you will see "valid_secs" : 15000.
So how would I write the search so I can look for a Bypass Code being created with "valid_secs" being over a certain number (in this case over 14,400)?
I just wanted to let everyone know how I figured this out.
The trick to getting this to work was using the FIELD EXTRACTOR and entering in my own custom REGULAR EXPRESSION.
JSON format can be tricky, it omits certain special characters. So I needed to view the event as raw text
in order to see the extra backslashes that need to be accounted for.
The Regular Expression that I typed into the Field Extractor is below:
\\\"valid_secs\\\":\s(?\d+)
This Regular Expression was able to successfully extract the integer value that came after the words valid_secs
and store it into its own field which I named valid_secs
.
Once this new field was extracted, I was able to type in the below search to get all events in which the field valid_secs
was greater than the value 14400
:
index=duo | search valid_secs>14400
I saved that search as an alert and I now get an alert every time that event is triggered.
Thank you to anyone who took the time to help and I hope this helps.
I just wanted to let everyone know how I figured this out.
The trick to getting this to work was using the FIELD EXTRACTOR and entering in my own custom REGULAR EXPRESSION.
JSON format can be tricky, it omits certain special characters. So I needed to view the event as raw text
in order to see the extra backslashes that need to be accounted for.
The Regular Expression that I typed into the Field Extractor is below:
\\\"valid_secs\\\":\s(?\d+)
This Regular Expression was able to successfully extract the integer value that came after the words valid_secs
and store it into its own field which I named valid_secs
.
Once this new field was extracted, I was able to type in the below search to get all events in which the field valid_secs
was greater than the value 14400
:
index=duo | search valid_secs>14400
I saved that search as an alert and I now get an alert every time that event is triggered.
Thank you to anyone who took the time to help and I hope this helps.
Like this:
index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo
| rex "description:[^}]+?\"valid_secs\":\s*(?<valid_secs>\d+)"
| where valid_secs >= "14400"
look for spath
command to extract fields from JSON