Splunk Add-on for Symantec Endpoint Protection: Canned field extractions not working

alexlomas — Tue, 29 Sep 2020 06:50:57 GMT

I found that the canned extractions for [field_extraction_for_agt_risk] and [field_extraction_for_agt_behavior] were not working with Splunk 6.2.3 and SEP manager v 12.1.4104.4130.

It looks like the last couple of fields for each were missing, in my case that's category_set, category_type, File_Size & Device_ID. I modified the regexes as below to make the last two fields optional. The pre-built dashboards now work correctly. I don't know if "something" is wrong in the versions, regexes, or logfiles themeselves, but if the developer sees this perhaps they can comment 🙂

[field_extraction_for_agt_behavior]
REGEX = (\s*'[^']*'|\s*[^,]*)(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1})?
FORMAT = Severity::$2 Host_Name::$3 Action::$4 Description::$5 API::$6 Begin_Time::$7 End_Time::$8 Rule_Name::$9 Caller_Process_ID::$10 Caller_Process_Name::$11 Return_Address::$12 Return_Module::$13 Parameter::$14 User_Name::$15 Domain_Name::$16 Action_Type::$17 File_Size::$18 Device_ID::$19

[field_extraction_for_agt_risk]
REGEX = (\s*'[^']*'|\s*"[^"]*"|\s*[^,]*)(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1},Application\sversion:\s(.*),Application\stype:([^,]*)(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1})?
FORMAT = Risk_Action::$2 IP_Address::$3 Computer_Name::$4 Source::$5 Risk_Name::$6 Occurrences::$7 File_Path::$8 Description::$9 Actual_Action::$10 Requested_Action::$11 Secondary_Action::$12 Event_Time::$13 Event_Insert_Time::$14 End_Time::$15 Last_Update_Time::$16 Domain_Name::$17 Group_Name::$18 Server_Name::$19 User_Name::$20 Source_Computer_Name::$21 Source_Computer_IP::$22 Disposition::$23 Download_site::$24 Web_domain::$25 Downloaded_by::$26 Prevalence::$27 Confidence::$28 URL_Tracking_Status::$29 First_Seen::$31 Sensitivity::$32 Reason_for_white_listing::$33 Application_Hash::$34 Hash_Type::$35 Company_Name::$36 Application_Name::$37 Application_Version::$38 Application_Type::$39 File_Size::$40 Category_set::$41 Category_type::$42

Re: Splunk Add-on for Symantec Endpoint Protection: Canned field extractions not working

mreynov_splunk — Thu, 30 Jul 2015 20:45:35 GMT

To confirm: the fields were not being extracted or missing in your logs?

Re: Splunk Add-on for Symantec Endpoint Protection: Canned field extractions not working

mreynov_splunk — Thu, 30 Jul 2015 20:53:44 GMT

A new reply to an answer on Splunk Add-on for Symantec Endpoint Protection: Canned field extractions not working was posted by alexlomas on Splunk Answers:

Awesome - are any of the other field extractions affected?

On a semi-related topic: how is the malware lookup supposed to work? Or rather, in which reports/panels is it used?

I might have been too hasty, please respond to question below to clarify.

re: malware lookup - it is used to map to CIM category field. TA is focused on getting data into Splunk and does not come with built in visual components. If you have ES, this data will show up in Malware related dashboards.

Re: Splunk Add-on for Symantec Endpoint Protection: Canned field extractions not working

alexlomas — Thu, 30 Jul 2015 21:03:03 GMT

The fields are not in the logs - I modified the extractions to make the last two fields for both files optional with a (?: ... )?

Re: Splunk Add-on for Symantec Endpoint Protection: Canned field extractions not working

mreynov_splunk — Thu, 30 Jul 2015 21:06:20 GMT

Alright, I guess it IS a bug and we will fix in the next release. The difference must stem from a difference in SEP configuration.

Re: Splunk Add-on for Symantec Endpoint Protection: Canned field extractions not working

alexlomas — Thu, 30 Jul 2015 21:08:54 GMT

OK - let me know if you want file samples offline.

Re: Splunk Add-on for Symantec Endpoint Protection: Canned field extractions not working

mreynov_splunk — Thu, 30 Jul 2015 21:14:17 GMT

woud love some samples. thanks!

Re: Splunk Add-on for Symantec Endpoint Protection: Canned field extractions not working

alexlomas — Fri, 31 Jul 2015 07:27:12 GMT

Not quite sure how to mail them over - we have a support contract so if you can see me in the CRM you can pull out my email address I guess.

topic Re: Splunk Add-on for Symantec Endpoint Protection: Canned field extractions not working in All Apps and Add-ons

Splunk Add-on for Symantec Endpoint Protection: Canned field extractions not working

Re: Splunk Add-on for Symantec Endpoint Protection: Canned field extractions not working

Re: Splunk Add-on for Symantec Endpoint Protection: Canned field extractions not working

Re: Splunk Add-on for Symantec Endpoint Protection: Canned field extractions not working

Re: Splunk Add-on for Symantec Endpoint Protection: Canned field extractions not working

Re: Splunk Add-on for Symantec Endpoint Protection: Canned field extractions not working

Re: Splunk Add-on for Symantec Endpoint Protection: Canned field extractions not working

Re: Splunk Add-on for Symantec Endpoint Protection: Canned field extractions not working