Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

2 values for "User" field being shown.

maiks1
Engager
‎05-06-2024 03:23 AM

Hi all!

I'm currently trying to create a RDP session analysis dashboard.  I'm using sysmon eventlogs, specifically Event-ID "3" to create a SPL query that shows traffic on port 3389 with a few filters. I only want to see usernames that are existing in the windows domain.

 

index=windows source=sysmon 
DestinationPort=3389 
EventCode=3 
Image!="C:\Program Files\RANDOMAPP*" 
| rename User as SourceUser    
| search SourceUser!="NT AUTHORITY\NETWORK SERVICE"  
SourceUser!="NT-AUTHORITY\Network Service"  
SourceUser!="NT-AUTHORITY\SYSTEM" 
| stats  count by SourceUser Image SourceHostname DestinationHostname SourceIp DestinationIp DestinationPort
| sort  - count

 

Since last week, the "Image" value has unexpectedly started appearing in the "User" field in all events.
Why is this happening and how can I prevent it from appearing in the "User" field?
  obfuscated png splunk.png

When I add the following query, no events are displayed. Could it be that the "User" field is getting mixed up with the "Image" field?

 

User!=Windows\*
User!="Program Files*"

 

Also, if you check the events, you can see 2 events being displayed for “User”obfuscated png splunk2.png

Sorry for the bazilion questions, but I'm starting to get a bit frustrated here 😅

Thanks in advance for your help and have a great day!

 

 

 

Labels (2)
Labels
0 Karma
Reply

efavreau
Motivator
‎05-06-2024 05:33 AM

@maiks1When I saw another fields values show up in a given field, a sysadmin had changed the order of the logs. This can show up as a new order to the same number of fields, introduction of a new field in the log, removal of a field, which changes the order of later fields in the log, etc.. Sourcetype configuration wasn't updated, so it keeps parsing per its definition. Lesson: walk through the whole thing slowly, starting at the beginning. Once you identified what changed, then you can work on why it changed.

###

If this reply helps you, an upvote would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...