https://community.splunk.com/t5/Splunk-Search/How-to-get-a-regex-setup-to-tell-me-whether-a-session-was/m-p/345026#M102217 <P>As @richgalloway said... use the app... Specifically the tech addon for Palo Alto: <A href="https://splunkbase.splunk.com/app/2757/">https://splunkbase.splunk.com/app/2757/</A> </P> <P>The field to determine if you decrypted a session is part of a bit wise field: <A href="https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Determine-if-Session-was-Decrypted-Based-on-Flags-in/ta-p/60515">https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Determine-if-Session-was-Decrypted-Based-on-Flags-in/ta-p/60515</A></P> <P>This means, that while you may be able to use a regex to extract the flag field itself, you're not going to be able to use a regex to interpret the flag to determine if the session was decrypted or not. Instead you'll need bit arithmetic. </P> <P>If we look at the transforms.conf of the tech addon, you'll see that they use delimiter based extractions instead of regular expressions to extract the field as <CODE>session_flags</CODE>. They then in the props.conf use some math to convert the single <CODE>session_flags</CODE> field into a multi-valued <CODE>flags</CODE> field... this is <CODE>EVAL-flags</CODE> in props.conf in the TA. </P> <P>The flag you're asking about in particular:</P> <PRE><CODE>if(floor(tonumber(session_flags,16) / pow(2, 24))%2==0,null(),"decrypted") </CODE></PRE> <P>EDIT: And thanks to <A href="https://answers.splunk.com/answering/236510/view.html">this answer</A> by @martin_mueller I realize there's a bug in that line in the TA, and we need to add a %2 into it... so updated.</P> <P>And issue logged with the TA: <A href="https://github.com/PaloAltoNetworks/Splunk_TA_paloalto/issues/17">https://github.com/PaloAltoNetworks/Splunk_TA_paloalto/issues/17</A></P> Sun, 04 Feb 2018 20:07:38 GMT acharlieh 2018-02-04T20:07:38Z https://community.splunk.com/t5/Splunk-Search/How-to-get-a-regex-setup-to-tell-me-whether-a-session-was/m-p/345024#M102215 <P>Hi all; so we are decrypting traffic via Palo Alto, but we aren't using the PA app for Splunk. What I'm trying to figure out is how to get a regex setup to tell me a session was or was not decrypted based on the proxy flag. Has anyone done that yet?</P> Fri, 02 Feb 2018 20:34:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-a-regex-setup-to-tell-me-whether-a-session-was/m-p/345024#M102215 coloradoark 2018-02-02T20:34:25Z https://community.splunk.com/t5/Splunk-Search/How-to-get-a-regex-setup-to-tell-me-whether-a-session-was/m-p/345025#M102216 <P>Why not use the app?<BR /> If you'll post some sample events and the fields you want extracted from them, we can help craft a regex string or find some other way to get what you need.</P> Sun, 04 Feb 2018 19:21:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-a-regex-setup-to-tell-me-whether-a-session-was/m-p/345025#M102216 richgalloway 2018-02-04T19:21:27Z https://community.splunk.com/t5/Splunk-Search/How-to-get-a-regex-setup-to-tell-me-whether-a-session-was/m-p/345026#M102217 <P>As @richgalloway said... use the app... Specifically the tech addon for Palo Alto: <A href="https://splunkbase.splunk.com/app/2757/">https://splunkbase.splunk.com/app/2757/</A> </P> <P>The field to determine if you decrypted a session is part of a bit wise field: <A href="https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Determine-if-Session-was-Decrypted-Based-on-Flags-in/ta-p/60515">https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Determine-if-Session-was-Decrypted-Based-on-Flags-in/ta-p/60515</A></P> <P>This means, that while you may be able to use a regex to extract the flag field itself, you're not going to be able to use a regex to interpret the flag to determine if the session was decrypted or not. Instead you'll need bit arithmetic. </P> <P>If we look at the transforms.conf of the tech addon, you'll see that they use delimiter based extractions instead of regular expressions to extract the field as <CODE>session_flags</CODE>. They then in the props.conf use some math to convert the single <CODE>session_flags</CODE> field into a multi-valued <CODE>flags</CODE> field... this is <CODE>EVAL-flags</CODE> in props.conf in the TA. </P> <P>The flag you're asking about in particular:</P> <PRE><CODE>if(floor(tonumber(session_flags,16) / pow(2, 24))%2==0,null(),"decrypted") </CODE></PRE> <P>EDIT: And thanks to <A href="https://answers.splunk.com/answering/236510/view.html">this answer</A> by @martin_mueller I realize there's a bug in that line in the TA, and we need to add a %2 into it... so updated.</P> <P>And issue logged with the TA: <A href="https://github.com/PaloAltoNetworks/Splunk_TA_paloalto/issues/17">https://github.com/PaloAltoNetworks/Splunk_TA_paloalto/issues/17</A></P> Sun, 04 Feb 2018 20:07:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-a-regex-setup-to-tell-me-whether-a-session-was/m-p/345026#M102217 acharlieh 2018-02-04T20:07:38Z