topic Re: Dynamic field extraction with multiple values; Cisco ISE Posture checks in Splunk Search

Dynamic field extraction with multiple values; Cisco ISE Posture checks

solarboyz1 — Wed, 03 Dec 2014 14:52:51 GMT

From our Cisco ISE we get Posture report events, each event can have multiple PostureReports.

PostureReport=Encase Service Policy\;Passed\;(Encase Service Status:Audit:Failed:Passed_Conditions[]:Failed_Conditions[Encase_Service_Check]:Skipped_Conditions[]),  PostureReport=Disk Encryption -- ActiveX Error\;Passed\;(Disk Encryption Status-ActiveX Error:Audit:Passed:Passed_Conditions[]:Failed_Conditions[Disk_Encryption_ActiveX_Error_x64:Disk_Encryption_ActiveX_Error:Disk_Encryption_ActiveX_Error_x86]:Skipped_Conditions[]),

I've extracted the Status of each posture policy with a transforms.conf entry

[extract_posture_dynamic_ise] 
FORMAT = $1::$2 
MV_ADD = 1 
REGEX = \sPostureReport=([^\\;]+)\\;(\w+)\\;

that part works perfect. However, I now need to extract the status of the actual checks:

;(Encase Service Status:Audit:Failed:Passed_Conditions[]:Failed_Conditions[Encase_Service_Check]:Skipped_Conditions[]),

Here's what I tried doing in transforms.conf before I noticed the caveat that this won't work at search time:

[extract_posture_checks_ise]
MV_ADD=1
REGEX=\sPostureReport=([^\\;]+)\\;\w+\\;\(([^:]):([^:]):([^:]):Passed_Conditions\[(.*?)\]:Failed_Conditions\[(.*?)\]:Skipped_Conditions\[(.*)\]),
FORMAT=$2_Type::$3 $2_Status::$4  $2_Passed_Conditions::$5  $2_Failed_Conditions::$6  $2_Skipped_Conditions::$7

Can this be done through a different method?

Re: Dynamic field extraction with multiple values; Cisco ISE Posture checks

cpetterborg — Wed, 03 Dec 2014 16:32:43 GMT

When you say "this won't work at search time," do you mean that you don't want to do it at indexing time, but you want to do either a field extraction, or use a rex command in the search?

Re: Dynamic field extraction with multiple values; Cisco ISE Posture checks

solarboyz1 — Wed, 03 Dec 2014 18:23:49 GMT

Correct, I'd rather not add an index time field extraction.

Re: Dynamic field extraction with multiple values; Cisco ISE Posture checks

cpetterborg — Wed, 03 Dec 2014 18:33:37 GMT

The following REX command should work to extract the data from the fields that you want (it could be simplified to just start from the "Passed_Conditions" portion if that makes sense for your data):

<your search> | rex field=_raw "PostureReport=([^;]+)\\;\w+\\;\(([^:]+):([^:]+):([^:]+):Passed_Conditions\[(?P<passedcond>[^\]]*)\]:Failed_Conditions\[({P<failedcond>[^\]]*)\]:Skipped_Conditions\[(?P<skippedcond>[^\]]*)\]\),"

It could also be modified to do a field extraction for the sourcetype.

Re: Dynamic field extraction with multiple values; Cisco ISE Posture checks

solarboyz1 — Wed, 03 Dec 2014 18:40:52 GMT

The issue is that each event can have a dozen PostureReport lines, which is why I need the fileds to be dynamically named based on the name of the check (capture group 2 in your example).

Re: Dynamic field extraction with multiple values; Cisco ISE Posture checks

cpetterborg — Wed, 03 Dec 2014 18:44:21 GMT

Can you provide an example?

BTW - I have a typo in the rex - ({P should be (?P for the failedcond field.

Re: Dynamic field extraction with multiple values; Cisco ISE Posture checks

solarboyz1 — Wed, 03 Dec 2014 18:49:28 GMT

The first box of code in my question, is an excerpt from a single event. It shows the PostureReport for two of the checks, there are about a dozen per event. The checks can be be added and removed based on policy, so the solution need to be dynamic to handle those changes.