@somesoni2 coalesce(mvindex(split(src_user,"\\"),1),mvindex(split(dest_user,"\\"),1),recipient,sender,"unknown") , so this is the regex that is listed in the sourcetype as EVAL-user, it looks like that sourcetype is defined in splunk enterprise security. here is a log it works on - Jun 16 11:08:50 1.1.1.1 1 <14>1 2022-06-16T11:08:53-04:00 1.1.1.1 - - - - 1,2022/06/16 11:08:53,111111111111,THREAT,vulnerability,2305,2022/06/16 11:08:38,1.1.1.1,1.1.1.1,0.0.0.0,0.0.0.0,MPLS_Inbound Allow All,test\user,,ms-wmi,vsys1,EXT-MPLS,INT-LAN,ethernet1/1,ae1,test,2022/06/16 11:08:38,1612859,1,58153,49154,0,0,0x2000,tcp,alert,,Microsoft Windows NTLMSSP Detection(111111),any,informational,client-to and here is one where it is pulling random Qualys Cloud Agent URLs,computer-and-internet-info,low-risk",0,,," Qualys Cloud Agent URLs,computer-and-internet-info,low-risk"," Qualys Cloud Agent URLs,computer-and-internet-info,low-risk"," Qualys Cloud Agent URLs,computer-and-internet-info,low-risk"," Qualys Cloud Agent URLs,computer-and-internet-info,low-risk"," Qualys Cloud Agent URLs,computer-and-internet-info,low-risk",0,1100,0,0,0,,abc123123," Qualys Cloud Agent URLs,computer-and-internet-info,low-risk",,,,0,,0,,N/A,info-leak,AppThreat-1111-7437,0x0,0,4294967295," Qualys Cloud Agent URLs,computer-and-internet-info,low-risk"," Qualys Cloud Agent URLs,computer-and-internet-info,low-risk",53182164-f27e-48e8-ae5d-e502b5ff412b,0,,,,,,,,,,,,,,,,,,,,,,,,,,," Qualys Cloud Agent URLs,computer-and-internet-info,low-risk"," Qualys Cloud Agent URLs,computer-and-internet-info,low-risk",0,1969-12-31T19:00:00.000-05:00,," Qualys Cloud Agent URLs,computer-and-internet-info,low-risk",0,infrastructure,networking,network-protocol,2,"has-known-vulnerability,tunnel-other-application,pervasive-use",msrpc,untunneled,no,no Here it's pulling user as - Qualys Cloud Agent URLs,computer-and-internet-info,low-risk This was my proposed fix - [\w]+\\(?<user>[\w]+) but it doesnt seem to do anything. TYVM!
... View more
