topic Re: How to Extract Fields from McAfee Vulnerability Manager in Splunk Search

How to Extract Fields from McAfee Vulnerability Manager

mzorzi — Mon, 28 Sep 2020 19:26:06 GMT

The events collected from the MVM have multiline fields, I would like to extract vendor_description,vendor_observation and vendor_recommendation.

What is the best props.conf configuration?

Apr 06 2015 08:22:41
TicketID=11674520
category_id=29
vendor_category=Security Policy/Options
cve=CVE-MAP-NOMATCH
msft=
mskb=
dest_ip=196.68.23.14
dest_name=SRVUDG987
dest_host=SRVUDG987.VGR.ATTGR.NET
signature=User Rights Restore Files And Directories Policy
vendor_severity=0
vendor_description=The User Rights "Restore files and directories" policy does not match the recommended compliance value.
vendor_observation=The User Rights "Restore files and directories" policy specifies which accounts may restore files and directories from a backup.

        NOTE: This check requires at least Foundstone version 4.0.6.
vendor_recommendation=Foundstone recommends the User Rights "Restore files and directories" be set via either a group policy INF file or by manually navigating to:

        Control Panel - Administrative Tools - Local Security Policy - Local Policies - User Rights Assignment

        Set the "Restore files and directories" policy to Administrators

Re: How to Extract Fields from McAfee Vulnerability Manager

mzorzi — Tue, 07 Apr 2015 13:30:12 GMT

This works for me, but it is a bit random. Maybe you have better suggestion?

[vmdata]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE_DATE = true
KV_MODE = none
EXTRACT-vall = (?mis)vendor_description=(?<vendor_descrition>.*)[\r\n]+vendor_observation=(?<vendor_observation>.*(?!vendor))[\r\n]+vendor_recommendation=(?<vendor_recommendation>.*)[\r\n]+

Re: How to Extract Fields from McAfee Vulnerability Manager

jeffland — Tue, 07 Apr 2015 13:52:57 GMT

Why not this straightforward rex:

vendor_description=(?<description>.*)vendor_observation=(?<observation>.*)vendor_recommendation=(?<recommendation>.*)

When I use it with the s modifier (so that . includes newline) on your sample, I get exactly the entire text until the next vendor_ (with the first two entries at least, the last one just captures until the end of the event I guess).

Re: How to Extract Fields from McAfee Vulnerability Manager

mzorzi — Tue, 07 Apr 2015 13:55:04 GMT

have you tried it from props.conf? I have two different results between rex search command and props.conf

Re: How to Extract Fields from McAfee Vulnerability Manager

jeffland — Tue, 07 Apr 2015 14:01:07 GMT

Unfortunately this is only rex-tested, sorry. I am not yet proficient with that sort of low-level setup. Why don't you try the expression in your props.conf, the modifier should work by prepending (?m)^ to your expression.