Splunk Search

Incomplete UserID

sgabriel1962
Explorer

How to I eliminate partial user id characters coming out of a search query?   Here are examples of incomplete userIDs - whereupon they shouldnt appear at all:   The middle GSA line is the correct example userID- the rest is garbage and I want to eliminate that

01022703
021216
07602381
"1206931120@GSA.GOV"
177
177670
1969412
232789

Labels (1)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this (assuming this pattern matches your valid user ids!)

index=* action=fail* OR action=block* (source=win*security OR sourcetype=linux_secure OR tag=authentication) user=* user!="" user!="*@domanname" user!="USX*" user!="sec-gsa-scan" user!="host/WS Authentication" user!=USERNAME 
| regex user="[^\"]+@[^\"]+"
| bucket _time span=1d | stats count by user src _time | stats sum(count) as count by user | sort – count

 

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

How are you obtaining the user IDs in the first place?  Is the field not extracted properly?  Is the search not looking for the right thing?  How can Splunk distinguish a valid ID from an invalid one?

---
If this reply helps you, Karma would be appreciated.
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What pattern represents the valid user ids?

(?<userid>[^\"]+@[^\"]+)

https://regex101.com/r/sn0WLe/1

 

0 Karma

sgabriel1962
Explorer

where do I find this as Im using defaults coming out of the Windows TA

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Perhaps you should tell us a bit more about what you are trying to do - since you posted this in the Splunk Search section, I presume this is part of a search, perhaps for a dashboard or a report? If so, what do you have so far?

0 Karma

sgabriel1962
Explorer

We are configuring for Brute Force login attempts, failures obviously.  Here is the search string we have put together as we are working from TAs coming from Splunkbase.   

index=* action=fail* OR action=block* (source=win*security OR sourcetype=linux_secure OR tag=authentication) user=* user!="" user!="*@domanname" user!="USX*" user!="sec-gsa-scan" user!="host/WS Authentication" user!=USERNAME | bucket _time span=1d | stats count by user src _time | stats sum(count) as count by user | sort – count

The list is coming back with all sorts of combinations as listed already, Im attempting to exclude IDs such as USERNAME or host/* as they dont make any sense.   I cant post much publicly but you get the idea

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this (assuming this pattern matches your valid user ids!)

index=* action=fail* OR action=block* (source=win*security OR sourcetype=linux_secure OR tag=authentication) user=* user!="" user!="*@domanname" user!="USX*" user!="sec-gsa-scan" user!="host/WS Authentication" user!=USERNAME 
| regex user="[^\"]+@[^\"]+"
| bucket _time span=1d | stats count by user src _time | stats sum(count) as count by user | sort – count

 

0 Karma

sgabriel1962
Explorer

I can work from this - this is great thanks = but how can I now only record login attempts > 4 and ignore all others

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

For daily count > 4 per user, do this

index=* action=fail* OR action=block* (source=win*security OR sourcetype=linux_secure OR tag=authentication) user=* user!="" user!="*@domanname" user!="USX*" user!="sec-gsa-scan" user!="host/WS Authentication" user!=USERNAME 
| regex user="[^\"]+@[^\"]+"
| bucket _time span=1d | stats count by user src _time 
| where count > 4
| stats sum(count) as count by user | sort – count
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...