Hello, I've have an alert that returns by email suspicious login attempts in the form of a table with client_ip, number of different logins used, list of logins used, continent and country. Basical...
See more...
Hello, I've have an alert that returns by email suspicious login attempts in the form of a table with client_ip, number of different logins used, list of logins used, continent and country. Basically, the table is created by this search (time window 60 minutes): index=webauth sourcetype=cas login!="audit:unknown" | eval login=lower(login)
| stats dc(login) AS number, values(login) AS "logins list" by client_ip| iplocation allfields=true client_ip
| fields - City,MetroCode,Region,lat,lon,Timezone
| search number>1 Sample result: client_ip number logins list Continent Country 192.168.0.6 3 foo bar baz Somewhere Here We have many false positive alert because some users make typos when they try to log in. I would like to clean up this table from any login that is not very different from the first one. If a result line lists those logins: myself, myselv, then the Levenshtein distance would be 1, then I would like to ditch the line (ie. number would fall from 2 to 1, and result would be excluded). If a result line lists: myself, myselv, yourself, then the second login would be excluded, but the result should be kept in the final table because yourself is very different from myself. I hope it makes sense. I've studied the solution https://community.splunk.com/t5/Splunk-Search/Is-there-any-way-to-compare-multivalue-fields-to-single-value/td-p/317189 for hours, but my result is so ugly that I can't believe it's the only solution: index=webauth sourcetype=cas login!="audit:unknown"
| eval login=lower(login)
| fields client_ip,login
| dedup client_ip,login
| mvcombine login
| eval n=mvcount(login), llogs=mvdedup(login)
| search n>1
| iplocation allfields=true client_ip
| fields - City,MetroCode,Region,lat,lon,Timezone,_raw,_time
| mvexpand login
| table *
| map maxsearches=100 search="
| makeresults
| eval login=\"$login$\", llogs=\"$llogs$\", number=\"$n$\" , Continent=\"$Continent$\" , Country=\"$Country$\" , client_ip=\"$client_ip$\"
|makemv delim=\"
\" llogs
| mvexpand llogs
|table *"
| `ut_levenshtein(login,llogs)`
| search ut_levenshtein>3
| fields - _time, llogs
| mvcombine login
| eval logins=mvdedup(login)
| eval number=mvcount(logins)
| fields - login
| dedup client_ip,logins
| table client_ip,number,logins,Continent,Country,ut_levenshtein Any idea to design something better? Thanks