I have an Event where I can extract the 2 different ID's but how do I show that id 1 gave access to id 2?
Sample event
User-ABCDEFG assigned Role-'NewRole' on Project-1234 to ABCDEFG
I need to say the User-ABCDEFG gave access to ABCDEFG in a stats sort of way - the user may give 4 or 5 accesses a day so I would then create a report which shows that that user did.
Hi @LizAndy123,
Following the @gcusello understanding, I added a few more context to the results.
| rex field=_raw "User-(?<User>\w+)\s+assigned\s+Role-(?<Operation_Type>.+?)\s(?<Where>.+?)\sto\s(?<ToUser>.+?)$"
In these case, I'm supposing that you can tell to the stakeholders the following:
User= The person who execute the operation
Operation_Type= What operation was did
Where= The asset that was changed in this operation
ToUSer= The user whom received the permission
Hi @LizAndy123 ,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated by all the contributors 😉
Hi @LizAndy123,
Following the @gcusello understanding, I added a few more context to the results.
| rex field=_raw "User-(?<User>\w+)\s+assigned\s+Role-(?<Operation_Type>.+?)\s(?<Where>.+?)\sto\s(?<ToUser>.+?)$"
In these case, I'm supposing that you can tell to the stakeholders the following:
User= The person who execute the operation
Operation_Type= What operation was did
Where= The asset that was changed in this operation
ToUSer= The user whom received the permission
Hi @LizAndy123 ,
et me understand:
you want to extract the user fields (that's located at the beginning of the event) and the resource to access (that's located at the end of the event).
In this case you have to use two regexes:
| rex "^(?<user>[^ ]+)"
| rex "(?<resource>\w+)$"
Ciao.
Giuseppe