- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Extracting Source Network Address from Windows Log...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Im working on extracting Source Network Address's from Splunk I've spent the past few hours defining my query and after a few days of researching and troubleshooting got it narrowed to the following.
The problem is the Source_Network_Address in windows event logs appears without spaces and the query is pulling data back that is not accurate for me. Im looking for Public IP's RDPing to a host not private IPs.
index=windows EventCode=4625 Source_Network_Address!="127.0.0.1" Source_Network_Address!="::1" | eventstats count as "EventCount" by EventCode | table EventCode EventCodeDescription EventCount Source_Network_Address ComputerName | sort EventCode | where EventCount>80
Yes I've tried excluding internal subnets however this is still not giving me expected output.
I need a way to extract Source Network Address without spaces.
https://community.splunk.com/t5/Splunk-Search/Need-to-pull-IP-from-Message-field/m-p/559816
I tried this however we are not extracting it via the IP Field.
When I go to extract the regex after searching by event count and index the field gets cut off in the regex editor that loads up. Not sure how to proceed here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was able to write regex to extract it.
Source Network Address:(?<ip>.\S+)
The Issues I had and remediations
1. The splunk Field Extractor window would cut off Microsoft windows event payloads by a half. So I could not select the field.
2. Splunk auto associates strings and ip's etc to a common field that can be utilized to be remapped across the environment so it can learn what these are. For example an IP Address is associated with <IP>
3. The Regex is not like normal regex that I'm used to for example (.?*)
4. The Source Network Address would pull back private IP's and public IP's Across the same event code. I extracted the private ones, then tried to find the IP field in the verbose mode search. Unfortunately, it wouldn't populate. So I re-ran the search and extracted the public IP field under the same field (Source Network Address) and then extracted it and named it Source Network Address -pub. This then populated my public ip's.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The previous Query was counting all events displayed. I modified this further and now I can get a failure count by ip.
index=windows EventCode=4625 ip!="private ip range to exclude" ip!="127.0.0.1" ip!="::1" ip!="-" | stats count as failures by ip, EventCode, ComputerName,| table EventCode ip failures ComputerName | sort failures | reverse
In addition you can easily add hostnames you wish to exclude with the line below by adding this before the | stats
ComputerName!="hostname you'd like to exclude that's noisy or you're aware of"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Finalized working query
index=windows EventCode=4625 ip!="private ip range to exclude" ip!="127.0.0.1" ip!="::1" ip!="-" ComputerName!="hostname you'd like to exclude that's noisy or you're aware of" | eventstats count as "EventCount" by EventCode | table EventCode EventCount ip ComputerName | sort EventCode | where EventCount>80
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was able to write regex to extract it.
Source Network Address:(?<ip>.\S+)
The Issues I had and remediations
1. The splunk Field Extractor window would cut off Microsoft windows event payloads by a half. So I could not select the field.
2. Splunk auto associates strings and ip's etc to a common field that can be utilized to be remapped across the environment so it can learn what these are. For example an IP Address is associated with <IP>
3. The Regex is not like normal regex that I'm used to for example (.?*)
4. The Source Network Address would pull back private IP's and public IP's Across the same event code. I extracted the private ones, then tried to find the IP field in the verbose mode search. Unfortunately, it wouldn't populate. So I re-ran the search and extracted the public IP field under the same field (Source Network Address) and then extracted it and named it Source Network Address -pub. This then populated my public ip's.
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
