×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
jacvbtaylor
Engager
Member since: ‎07-18-2024
‎07-19-2024
Community Statistics
Posts 2
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎07-18-2024
Activity Feed
View All

Re: Show events if not seen in lookup

by in Splunk Search
‎07-19-2024 06:46 AM
‎07-19-2024 06:46 AM
Thank you so much! This worked beautifully. I have been trying to wrap my head around this for such a long time, it's so nice to see an outcome.  Really appreciate your help  ... View more

Show events if not seen in lookup

by in Splunk Search
‎07-18-2024 01:58 PM
‎07-18-2024 01:58 PM
I wrote this query to help look for multiple Autonomous System Number (ASN) values and multiple user agent values in a user’s Okta session as this is an indication of a session hijack. I have created this search which works as needed   index="okta" actor.alternateId=*@* authenticationContext.externalSessionId!="unknown" | eval "ASN"='securityContext.asNumber' | eval "Session ID"='authenticationContext.externalSessionId' | eval "User"='actor.alternateId' | eval "Risk"='debugContext.debugData.risk' | stats dc("user_agent") as "Agent Count" values(user_agent) AS "User Agent" dc(ASN) as "ASN Count" values(ASN) as ASN dc(Risk) as "Risk Count" values(Risk) as Risk by User "Session ID" | table "Session ID", ASN, "ASN Count", "User Agent", "Agent Count", User, Risk | search "ASN Count" > 1 AND "Agent Count" > 1   Session ID ASN ASN Count User Agent Agent Count User Risk idxxxxxxxxxxxx 12345 321 2 UserAgent1 UserAgent2 2 user@company.com {reasons=Anomalous Device, level=MEDIUM} idxxxxxxxxxxxx 6789 321 2 UserAgent1 UserAgent2 2 user@company.com {reasons=Anomalous Device, level=MEDIUM} The issue is I am not getting only anomalous activity as expected, but many false positives as most session IDs legitimately have more than one ASN attached to the session. My thought was to create a lookup (asn_user.csv) that will eventually be updated through a scheduled search (at a slower rate that the main search is ran) to append new data to gather the User and ASNs that have had a successful transaction with using this search:   index="okta" actor.alternateId=*@* authenticationContext.externalSessionId!="unknown" | eval "ASN"='securityContext.asNumber' | eval "User"='actor.alternateId'| table ASN User | dedup ASN User   ASN User 12345 user@company.com 321 user@company.com   My issue right now is trying to use the lookup against the main search. The goal is IF the ASN is new to the user from the main okta search (meaning the ASN is not seen in the lookup file, asn_user.csv) then return the | table  "Session ID", ASN, "ASN Count", "User Agent", "Agent Count", User, Risk  | search "ASN Count" > 1 AND "Agent Count" > 1 results with the anomalous ASN while still meeting the "ASN Count" > 1 AND "Agent Count" > 1 requirement  Does anyone have some ideas to accomplish this? ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎07-19-2024 01:23 PM
Karma given to
View All