Solved: Incomplete UserID

sgabriel1962 · ‎11-21-2023

How to I eliminate partial user id characters coming out of a search query? Here are examples of incomplete userIDs - whereupon they shouldnt appear at all: The middle GSA line is the correct example userID- the rest is garbage and I want to eliminate that

01022703
021216
07602381
"1206931120@GSA.GOV"
177
177670
1969412
232789

ITWhisperer · ‎11-21-2023

Try something like this (assuming this pattern matches your valid user ids!)

index=* action=fail* OR action=block* (source=win*security OR sourcetype=linux_secure OR tag=authentication) user=* user!="" user!="*@domanname" user!="USX*" user!="sec-gsa-scan" user!="host/WS Authentication" user!=USERNAME 
| regex user="[^\"]+@[^\"]+"
| bucket _time span=1d | stats count by user src _time | stats sum(count) as count by user | sort – count

View solution in original post

richgalloway · ‎11-21-2023

How are you obtaining the user IDs in the first place? Is the field not extracted properly? Is the search not looking for the right thing? How can Splunk distinguish a valid ID from an invalid one?

---
If this reply helps you, Karma would be appreciated.

ITWhisperer · ‎11-21-2023

What pattern represents the valid user ids?

(?<userid>[^\"]+@[^\"]+)

https://regex101.com/r/sn0WLe/1

sgabriel1962 · ‎11-21-2023

where do I find this as Im using defaults coming out of the Windows TA

ITWhisperer · ‎11-21-2023

Perhaps you should tell us a bit more about what you are trying to do - since you posted this in the Splunk Search section, I presume this is part of a search, perhaps for a dashboard or a report? If so, what do you have so far?

sgabriel1962 · ‎11-21-2023

We are configuring for Brute Force login attempts, failures obviously. Here is the search string we have put together as we are working from TAs coming from Splunkbase.

index=* action=fail* OR action=block* (source=win*security OR sourcetype=linux_secure OR tag=authentication) user=* user!="" user!="*@domanname" user!="USX*" user!="sec-gsa-scan" user!="host/WS Authentication" user!=USERNAME | bucket _time span=1d | stats count by user src _time | stats sum(count) as count by user | sort – count

The list is coming back with all sorts of combinations as listed already, Im attempting to exclude IDs such as USERNAME or host/* as they dont make any sense. I cant post much publicly but you get the idea

ITWhisperer · ‎11-21-2023

Try something like this (assuming this pattern matches your valid user ids!)

index=* action=fail* OR action=block* (source=win*security OR sourcetype=linux_secure OR tag=authentication) user=* user!="" user!="*@domanname" user!="USX*" user!="sec-gsa-scan" user!="host/WS Authentication" user!=USERNAME 
| regex user="[^\"]+@[^\"]+"
| bucket _time span=1d | stats count by user src _time | stats sum(count) as count by user | sort – count

sgabriel1962 · ‎11-21-2023

I can work from this - this is great thanks = but how can I now only record login attempts > 4 and ignore all others

ITWhisperer · ‎11-21-2023

For daily count > 4 per user, do this

index=* action=fail* OR action=block* (source=win*security OR sourcetype=linux_secure OR tag=authentication) user=* user!="" user!="*@domanname" user!="USX*" user!="sec-gsa-scan" user!="host/WS Authentication" user!=USERNAME 
| regex user="[^\"]+@[^\"]+"
| bucket _time span=1d | stats count by user src _time 
| where count > 4
| stats sum(count) as count by user | sort – count

Incomplete UserID

regex

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 2)

Index This | I am a number but I am countless. What am I?

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience