topic Re: What end of anchor parameter to use for the Symantec event? in Splunk Search

What end of anchor parameter to use for the Symantec event?

jwalzerpitt — Fri, 26 Jul 2019 14:37:54 GMT

I am trying to figure out what end of the anchor parameter to use for the Symantec event.

Here is a snippet of the Symantec event:

Application hash: 4a3c0caeaf4bef6a170e3d031f7181901464ff8271639bab1641465e6f97e000,Hash type: SHA2,Company name: ,Application name: Mac Cleanup Pro,Application version: ,Application type: -1,File size (bytes): 196640,Category set: Security risk,Category type: UNKNOWN,Location: ,Intensive Protection Level: 0,Certificate issuer: ,Certificate signer: ,Certificate thumbprint: ,Signing timestamp: 0,Certificate serial number:

Here is my regex:

(?:Application\shash:\s*(?<Application_Hash>[^"]+)),?(?:Hash\stype:\s*(?<Hash_type>[^"]+)),?(?:Application\sname:\s*(?<Application_name>[^"]+)),?(?:Application\sversion:\s*(?<Applciation_version>[^"]+)),?(?:File\ssize\s\(bytes\)\s*(?<File_size>[^"]+)),?(?:Category\sset:\s*(?<Category_set>[^"]+)),?(?:Category\stype:\s*(?<Category_type>[^"]+)),?(?:Location:\s*(?<Location>[^"]+)),?(?:Intensive\sProtection\sLevel:\s*(?<Intensive_Protection_Level>[^"]+)),?(?:Certificate\sissuer:\s*(?<Certificate_Issuer>[^"]+)),?(?:Certificate\ssigner:\s*(?<Certificate_Signer>[^"]+)),?(?:Certificate\sthumbprint:\s*(?<Certificate_Thumbprint>[^"]+)),?(?:Signing\stimestamp:\s*(?<Signing_Timestamp>[^"]+)),?(?:Certificate\sserial\snumber:\s*(?<Certificate_Serial_Number>[^"]+))\z

I tried '$' and '\Z', but no luck getting the entire regex to match. If I leave the end of my regex as:

?(?:Certificate\sserial\snumber:\s*(?<Certificate_Serial_Number>[^"]+))?

The Group Signing_Timestamp is 0,Certificate serial number: so I know the regex is working up till the very end

Any help would be appreciated.

Thank you.

Re: What end of anchor parameter to use for the Symantec event?

richgalloway — Fri, 26 Jul 2019 17:05:16 GMT

The regex is not looking for the "Company name" field. Also, It expects each field to end with ", but there are no quotes in the sample data.

Re: What end of anchor parameter to use for the Symantec event?

rbechtold — Fri, 26 Jul 2019 20:48:27 GMT

Hey Jwalzerpitt!

I can't remember why, but I've worked with this same symantec extraction before. I went ahead and found it and made it work for your data.

This should work for the dataset you provided:

(?:Application\shash:\s*(?<Application_Hash>[^%\,]+))?,\s*(?:Hash\stype:\s*(?<Hash_Type>[^%\,]+))?,\s*(?:Company\sname:\s*(?<Company_Name>[^\,]+))?,\s*(?:Application\sname:(?<Application_Name>[^%\,]+))?,(?:Application\sversion:\s*(?P<Application_Version>[^\,]+))?,\s*(?:Application\stype:\s*(?<Application_Type>[^%\,]+))?,\s*(?:File\ssize\s\(bytes\):\s*(?<File_Size>[^%\,]+))?(?:,\s*Category\sset:\s*(?<Category_Set>[^%\,]+),\s*Category\stype:\s*(?<Category_Type>[^%\,]+))?,?\s*(?:Location:\s*(?<Location>[^%\,]+))?\,(?:Intensive\sProtection\sLevel:\s*(?<Intensive_Protection_Level>[^%\,]+))?,?\s*(?:Certificate\sissuer:\s*(?<Certificate_Issuer>[^%\,]+))?,?\s*(?:Certificate\ssigner:\s*(?<Certificate_Signer>[^%\,]+))?,?\s*(?:Certificate\sthumbprint:\s*(?<Certificate_Thumbprint>[^%\,]+))?,?\s*(?:Signing\stimestamp:\s*(?<Signing_Timestamp>[^%\,]+))?,?\s*(?:Certificate\sserial\snumber:\s*(?<Certificate_Serial_Number>.*?(?:[^%\,]+|$|\z)))

Also, you might find some use out of the extract command. The dataset you provided is consistantly in a "FIELD:VALUE," format.

Give the extract command a try to see if it works to accomplish your goal like this:

...BASE SEARCH...
| extract kvdelim=":" pairdelim=","

If you run into any problems let me know and I'm happy to help.

Re: What end of anchor parameter to use for the Symantec event?

jwalzerpitt — Mon, 29 Jul 2019 18:41:32 GMT

Thx a million for the regex help, and even better, the extract command as that worked perfectly!

Thx again