Reputation: 1602
Search for specific patterns in Splunk cloud platform
I am new to splunk and am trying to perform incident analysis of a compromised domain controller security event logs. I am using the free trial version of splunk cloud platform and ingested the csv data and let splunk automatically create the indexes. The attack is a brute force attack and it seems that some malicious user tried to find the members of a remote desktop user group in the AD.
I am attaching a screenshot of my current splunk search result and the further filter that I want to use [ highlighted in black ]. As you will see in the current search result, it is listing many such events, but I am only interested in certain events, where under the Subject section, the account names have values other than a given set of names (say ID4$, Admin, Harvester etc.). How can that be achieved?
Upvotes: 0
Views: 618
Answers (2)
Reputation: 9926
To add on to @warren's answer, you need to extract fields before they can be searched. Then you can filter based on those fields.
index=foo source=bar
| rex field=EXTRA_FIELD_6 "Account Name:\s*(?<Account_Name>\w+)
| search NOT Account_Name IN ("ID4$", "Admin", "Harvester")
Upvotes: 0
Reputation: 33455
First, I'd strongly recommend you take the free courses available from Splunk: https://www.splunk.com/en_us/training.html?sort=Newest&filters=filterGroup1FreeCourses
Second, you need to look for field=value pairs in your data
Like this:
index=ndx sourcetype=srctp fieldA=valA fieldB=valB* fieldC=valC
| stats values(host) as host values(valB) by fieldA fieldC
Upvotes: 1
Related Questions
- Splunk conditional search
- Correlating logs with a pattern in Splunk
- Searching for a particular kind of field in Splunk
- Search string with dynamic value in Splunk
- Splunk lookuptable
- Splunk subsearch for regex outputs
- Splunk breakdown results by matched search phrase
- RegEx in Splunk Search
- Splunk query to filter results
- Splunk search a pattern