Splunk Enterprise Security

How to search to see if a value in the description field is greater than a certain number?

rtsquared
Explorer

We have connected Duo Security with Splunk in order to track certain aspects of our security performance. To make things simple, when logging in to Duo, we can create a Bypass Code for a user in case they don't have another way of logging in for the moment. This Bypass Code is just a 9 digit number that the user will enter in order to be able to log in.

When creating the Bypass Code, I have the option to choose how long until the Bypass Code expires.

My question for you is how can I create a search to see if a Bypass Code was created with it being valid for a certain amount of time until it expires.

I want to search for Bypass Codes created with a validity period greater than 4 hours.

I am attaching a screenshot to show you what exactly I want to search for. In description, you will see "valid_secs" : 15000.

So how would I write the search so I can look for a Bypass Code being created with "valid_secs" being over a certain number (in this case over 14,400)?

0 Karma
1 Solution

rtsquared
Explorer

I just wanted to let everyone know how I figured this out.

The trick to getting this to work was using the FIELD EXTRACTOR and entering in my own custom REGULAR EXPRESSION.

JSON format can be tricky, it omits certain special characters. So I needed to view the event as raw text in order to see the extra backslashes that need to be accounted for.

The Regular Expression that I typed into the Field Extractor is below:

\\\"valid_secs\\\":\s(?\d+)

This Regular Expression was able to successfully extract the integer value that came after the words valid_secs and store it into its own field which I named valid_secs.

Once this new field was extracted, I was able to type in the below search to get all events in which the field valid_secs was greater than the value 14400:

index=duo | search valid_secs>14400

I saved that search as an alert and I now get an alert every time that event is triggered.

Thank you to anyone who took the time to help and I hope this helps.

View solution in original post

0 Karma

rtsquared
Explorer

I just wanted to let everyone know how I figured this out.

The trick to getting this to work was using the FIELD EXTRACTOR and entering in my own custom REGULAR EXPRESSION.

JSON format can be tricky, it omits certain special characters. So I needed to view the event as raw text in order to see the extra backslashes that need to be accounted for.

The Regular Expression that I typed into the Field Extractor is below:

\\\"valid_secs\\\":\s(?\d+)

This Regular Expression was able to successfully extract the integer value that came after the words valid_secs and store it into its own field which I named valid_secs.

Once this new field was extracted, I was able to type in the below search to get all events in which the field valid_secs was greater than the value 14400:

index=duo | search valid_secs>14400

I saved that search as an alert and I now get an alert every time that event is triggered.

Thank you to anyone who took the time to help and I hope this helps.

0 Karma

woodcock
Esteemed Legend

Like this:

index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo
| rex "description:[^}]+?\"valid_secs\":\s*(?<valid_secs>\d+)"
| where valid_secs >= "14400"
0 Karma

adonio
Ultra Champion

look for spath command to extract fields from JSON

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...