Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

2 values for "User" field being shown.

maiks1
Engager
‎05-06-2024 03:23 AM

Hi all!

I'm currently trying to create a RDP session analysis dashboard.  I'm using sysmon eventlogs, specifically Event-ID "3" to create a SPL query that shows traffic on port 3389 with a few filters. I only want to see usernames that are existing in the windows domain.

 

index=windows source=sysmon 
DestinationPort=3389 
EventCode=3 
Image!="C:\Program Files\RANDOMAPP*" 
| rename User as SourceUser    
| search SourceUser!="NT AUTHORITY\NETWORK SERVICE"  
SourceUser!="NT-AUTHORITY\Network Service"  
SourceUser!="NT-AUTHORITY\SYSTEM" 
| stats  count by SourceUser Image SourceHostname DestinationHostname SourceIp DestinationIp DestinationPort
| sort  - count

 

Since last week, the "Image" value has unexpectedly started appearing in the "User" field in all events.
Why is this happening and how can I prevent it from appearing in the "User" field?
  obfuscated png splunk.png

When I add the following query, no events are displayed. Could it be that the "User" field is getting mixed up with the "Image" field?

 

User!=Windows\*
User!="Program Files*"

 

Also, if you check the events, you can see 2 events being displayed for “User”obfuscated png splunk2.png

Sorry for the bazilion questions, but I'm starting to get a bit frustrated here 😅

Thanks in advance for your help and have a great day!

 

 

 

Labels (2)
Labels
0 Karma
Reply

efavreau
Motivator
‎05-06-2024 05:33 AM

@maiks1When I saw another fields values show up in a given field, a sysadmin had changed the order of the logs. This can show up as a new order to the same number of fields, introduction of a new field in the log, removal of a field, which changes the order of later fields in the log, etc.. Sourcetype configuration wasn't updated, so it keeps parsing per its definition. Lesson: walk through the whole thing slowly, starting at the beginning. Once you identified what changed, then you can work on why it changed.

###

If this reply helps you, an upvote would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...