All Apps and Add-ons

Making a delimited multivalue field using props and transforms - qualys TA

Robbie1194
Communicator

Hi Guys,

I'm using the qualys TA to extract VM data and I'm having some issues with making a multi value field out of the "cve" field qualys use.

My "cve" field has values like:

"CVE-2017-3003, CVE-2017-3002, CVE-2017-3001, CVE-2017-3000, CVE-2017-2999, CVE-2017-2998, CVE-2017-2997"
OR
"CVE-2013-1346"
OR
"CVE-2015-2808, CVE-2013-2566"

My goal is to make it when I search for a single CVE (such as CVE-2017-3000), hosts with that cve will be shown. However, currently it will only show the host if my search matches the full value for the cve field which could be over 20 cve values. (Sorry if that doesn't make sense, It's quite hard to explain without visualisations but I've not got enough karma to upload pictures.)

I want to use transforms and props to configure this extraction at search time. I have my regex working to capture each individual CVE.

I've been trying for a while now to no avail, could someone please show me what my transforms and props needs? Currently I have...

props.conf

[qualys:hostDetection]
REPORT-cve = mv-cve

transforms.conf

[mv-cve]
REGEX = cve=(?CVE-\d+-\d+) (I've tried this line without the "cve=" but it shows an example with it in the docs)
FORMAT = cve::$1 (I don't fully understand what this line is doing, I don't think the docs are very clear)
MV_ADD= true

Any help would be greatly appreciated, cheers.

0 Karma
1 Solution

woodcock
Esteemed Legend

Here is a nifty trick for cases like that that avoids creating a multivalue field (an approach that over-complicates things and can create other problems):

|makeresults | eval raw="CVE-2017-3003, CVE-2017-3002, CVE-2017-3001, CVE-2017-3000, CVE-2017-2999, CVE-2017-2998, CVE-2017-2997::CVE-2013-1346::CVE-2015-2808, CVE-2013-2566"
| makemv delim="::" raw
| mvexpand raw
| rename raw AS _raw
| eval cve=_raw

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| search CVE-2017-3000
| rename COMMENT AS "This has all the potential matches"
| where mvcount(split(cve, "CVE-2017-3000"))=2
| rename COMMENT AS "Now you have all the real matches"

The nice thing about this is that if you can use either a string literal inside the split command or a field name!

View solution in original post

0 Karma

woodcock
Esteemed Legend

Here is a nifty trick for cases like that that avoids creating a multivalue field (an approach that over-complicates things and can create other problems):

|makeresults | eval raw="CVE-2017-3003, CVE-2017-3002, CVE-2017-3001, CVE-2017-3000, CVE-2017-2999, CVE-2017-2998, CVE-2017-2997::CVE-2013-1346::CVE-2015-2808, CVE-2013-2566"
| makemv delim="::" raw
| mvexpand raw
| rename raw AS _raw
| eval cve=_raw

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| search CVE-2017-3000
| rename COMMENT AS "This has all the potential matches"
| where mvcount(split(cve, "CVE-2017-3000"))=2
| rename COMMENT AS "Now you have all the real matches"

The nice thing about this is that if you can use either a string literal inside the split command or a field name!

0 Karma

prabhasgupte
Communicator

Can this be of any help to you? Replace the CVE with input token or change it to whichever you are searching for.
eventtype="qualys_vm_detection_event" cve=*CVE-2016-5554* | dedup 1 HOST_ID, QID | table HOST_ID, IP, QID, cve

Change the query as per your need.

0 Karma

Robbie1194
Communicator

Hi somesoni2,

Thanks for the links but I've already looked at them and they didn't help too much. I don't really understand why my configs aren't working! :'(

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...