Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

search index for IP correlation

ldunzweiler
Engager
‎03-09-2020 11:53 AM

I am trying to do this logic. Each "IF" I can do separately no issue. However, I am not sure how to combine these two searches together as the second search is based off the output of the first.

IF we see more than 10 failed events (1201 OR 1203)

THEN IF we see more than 2 different users

    print ForwardedIP

    Pipe
        IF we see successful events (1200 OR 1202)

            Print Usernames

The searches basically consist of

index="auth" EventCode=1201 OR EventCode=1203 | rex "(?[^<]+)" | rex "(?[^<]+)" | stats values(UserId) as UserId by ForwardedIpAddress

And then EventCode 1200 and 1202 for successful auth.

If we see bad auths with multiple users from the same IP, and then we see a successful auth we want to know about it.

Tags (2)
0 Karma
Reply

woodcock
Esteemed Legend
‎03-09-2020 10:58 PM

Like this:

index="auth" AND (EventCode="1201" OR EventCode="1203" OR EventCode="1200" OR EventCode="1202")
| rex GarbledWhatever
| stats count(eval(EventCode="1201" OR EventCode="1203")) AS failed count(eval(EventCode="1200" OR EventCode="1202")) AS successful values(UserId) AS UserId dc(UserId) AS userCount BY ForwardedIpAddress
| where userCount>2 AND failed>10 AND successful>0
0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎03-09-2020 12:41 PM

Try something like this

| stats count user_count by UserId, EventCode, ForwardedIpAddress
| eval NEW_FIELD=if(user_count>=2 AND (EventCode=1201 OR EventCode=1202),"Multiple users, same IP","Nothing to see here")
0 Karma
Reply

xavierashe
Contributor
‎03-09-2020 12:39 PM

Give map at try.

index="auth" EventCode=1201 OR EventCode=1203 | rex "(?[^\<]+)" | rex "(?[^\<]+)" | stats values(UserId) as UserId by ForwardedIpAddress | map search="search index=auth EventCode=1200 OR EventCode=1202 UserId=$UserId$"
0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎03-09-2020 12:43 PM

Not a good idea to use map here.. You're already filtering down the eventcode's in the base of the search and iterating against each user_id field. What happens if there's hundreds of thousands of users? This is going to crush performance and does not scale well. Better approach is to use stats and pre-process the data and feed that into a conditional statement

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...