- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: SEP 14.2 RU1 log format change
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SEP 14.2 RU1 log format change
Symantec slightly change the log format for 14.2 RU1... add these to transforms.conf in /local and you'll be good to go.
[field_extraction_for_traffic]
REGEX = (?i)(?:[[sep_file_prefix]]),\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),\s*(?:Local Host:\s*(?[[sep_file_field]]))?,\s*(?:Local Port:\s*(?[[sep_file_field]]))?,\s*(?:Local Host MAC:\s*(?[[sep_file_field]]))?,\s*(?:Remote Host IP:\s*(?[[sep_file_field]]))?,\s*(?:Remote Host Name:\s*(?[[sep_file_field]]))?,\s*(?:Remote Port:\s*(?[[sep_file_field]]))?,\s*(?:Remote Host MAC:\s*(?[[sep_file_field]]))?,\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),\s*(?:Begin:\s*(?[[sep_file_field]]))?,\s*(?:End:\s*(?[[sep_file_field]]))?,\s*(?:Occurrences:\s*(?[[sep_file_field]]))?,\s*(?:Application:\s*(?[[sep_file_field]]))?,\s*(?:Rule:\s*(?[[sep_file_field]]))?,\s*(?:Location:\s*(?[[sep_file_field]]))?,\s*(?:User:\s*(?[[sep_file_field]]))?,\s*(?:Domain:\s*(?[[sep_file_field]]))?,\s*(?:Action:\s*(?[[sep_file_field]]))?,\s*(?:SHA-256:\s*(?[[sep_file_field]]))?,\s*(?:MD-5:\s*(?[[sep_file_field]]))?
[field_extraction_for_agt_security]
REGEX = (?i)(?:[[sep_file_prefix]]),\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),\s*(?:Event Description:\s*(?[[sep_file_field]])),\s*(?:Local:\s*(?[[sep_file_field]]))?,\s*(?:Local Host MAC:\s*(?[[sep_file_field]]))?,\s*(?:Remote Host Name:\s*(?[[sep_file_field]]))?,\s*(?:Remote Host IP:\s*(?[[sep_file_field]]))?,\s*(?:Remote Host MAC:\s*(?[[sep_file_field]]))?,\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),\s*(?:Begin:\s*(?[[sep_file_field]]))?,\s*(?:End:\s*(?[[sep_file_field]]))?,\s*(?:Occurrences:\s*(?[[sep_file_field]]))?,\s*(?:Application:\s*(?[[sep_file_field]]))?,\s*(?:Location:\s*(?[[sep_file_field]]))?,\s*(?:User:\s*(?[[sep_file_field]])),\s*(?:Domain:\s*(?[[sep_file_field]]))?,\s*(?:Local\sPort\s*(?[[sep_file_field]]))?,\s*(?:Remote\sPort\s*(?[[sep_file_field]]))?,\s*(?:CIDS\sSignature\sID:\s*(?[[sep_file_field]]))?,\s*(?:CIDS\sSignature\sstring:\s*(?[[sep_file_field]]))?,\s*(?:CIDS\sSignature\sSubID:\s*(?[[sep_file_field]]))?,\s*(?:Intrusion\sURL:\s*(?[[sep_file_field]]))?,\s*(?:Intrusion\sPayload\sURL:\s*(?[[sep_file_field]]))?,?\s*(?:SHA-256:\s*(?[[sep_file_field]]))?,?\s*(?:MD-5:\s*(?[[sep_file_field]]))?
[field_extraction_for_agt_risk]
REGEX = (?i)(?:[[sep_file_prefix]]),\s*(?[[sep_file_field]]),\s*(?:IP\sAddress:\s*(?[[sep_file_field]]))?,\s*(?:Computer\sname:\s*(?[^,']'[^']'|[^,"]"[^"]|[^,]))?,\s(?:Source:\s*(?[[sep_file_field]]))?,\s*(?:Risk\sname:\s*(?[[sep_file_field]]))?,\s*(?:Occurrences:\s*(?[[sep_file_field]]))?,\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),\s*(?:Actual\saction:\s*(?[[sep_file_field]]))?,\s*(?:Requested\saction:\s*(?[[sep_file_field]]))?,\s*(?:Secondary\saction:\s*(?[[sep_file_field]]))?,\s*(?:Event\stime:\s*(?[[sep_file_field]]))?,s*(?:Inserted:\s*(?[[sep_file_field]]))?,\s*(?:End:\s*(?[[sep_file_field]]))?,\s*(?:Last\supdate\stime:\s*(?[[sep_file_field]]))?,\s*(?:Domain:\s*(?[[sep_file_field]]))?,\s*(?:Group:\s*(?[[sep_file_field]]))?,\s*(?:Server:\s*(?[[sep_file_field]]))?,\s*(?:User:\s*(?[[sep_file_field]])),\s*(?:Source\scomputer:\s*(?[[sep_file_field]]))?,\s*(?:Source\sIP:\s*(?[[sep_file_field]]))?,\s*(?:Disposition:\s*(?[[sep_file_field]]))?,\s*(?:Download\ssite:\s*(?[[sep_file_field]]))?,\s*(?:Web\sdomain:\s*(?.))?,\s(?:Downloaded\sby:\s*(?[[sep_file_field]]))?,\s*(?:Prevalence:\s*(?[[sep_file_field]]))?,\s*(?:Confidence:\s*(?[[sep_file_field]]))?,\s*(?:URL\sTracking\sStatus:\s*(?[[sep_file_field]]))?,\s*(?:First\sseen:\s*(?[[sep_file_field]]))?,\s*(?:Sensitivity:\s*(?[[sep_file_field]]))?,\s*(?[[sep_file_field]]),\s*(?:Application\shash:\s*(?[[sep_file_field]]))?,\s*(?:Hash\stype:\s*(?[[sep_file_field]]))?,\s*(?:Company\sname:\s*(?.))?,\s(?:Application\sname:\s(?[[sep_file_field]]))?,\s*(?:Application\sversion:\s*(?P.))?,\s(?:Application\stype:\s*(?[[sep_file_field]]))?,\s*(?:File\ssize\s(bytes):\s*(?[[sep_file_field]]))?(?:,\s*Category\sset:\s*(?[[sep_file_field]]),\s*Category\stype:\s*(?[[sep_file_field]]))?,?\s*(?:Location:\s*(?[[sep_file_field]]))?,?\s*(?:Intensive\sProtection\sLevel:\s*(?[[sep_file_field]]))?,?\s*(?:Certificate\sissuer:\s*(?[[sep_file_field]]))?,?\s*(?:Certificate\ssigner:\s*(?[[sep_file_field]]))?,?\s*(?:Certificate\sthumbprint:\s*(?[[sep_file_field]]))?,?\s*(?:Signing\stimestamp:\s*(?[[sep_file_field]]))?,?\s*(?:Certificate\sserial\snumber:\s*(?[[sep_file_field]]))?
[field_extraction_for_agt_behavior]
REGEX = ^(?i)(?:[[sep_file_prefix]]),\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),?\s*(?[[sep_file_field]])?,\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),\s*(?:Begin:\s*(?[[sep_file_field]]))?,\s*(?:End:\s*(?[[sep_file_field]]))?,\s*(?:Rule:\s*(?[[sep_file_field]])),\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),\s*(?:User:\s*(?[[sep_file_field]])),\s*(?:Domain:\s*(?[[sep_file_field]]))?,\s*(?:Action\sType:\s*(?[[sep_file_field]]))?(?:,\s*File\ssize\s(bytes):\s*(?[[sep_file_field]]),\s*Device\sID:\s*(?[[sep_file_field]]))?$
[field_extraction_for_agt_proactive]
REGEX = (?i)(?:[[sep_file_prefix]]),\s*(?[[sep_file_field]]),\s*(?:Computer\sname:\s*(?[[sep_file_field]]))?,?\s*(?:IP\sAddress:\s*(?[[sep_file_field]]))?,\s*(?:Detection\stype:\s*(?[[sep_file_field]]))?,\s*(?:First\sseen:\s*(?[[sep_file_field]]))?,\s*(?:Application\sname:\s*(?[[sep_file_field]]))?,\s*(?:Application\stype:\s*(?[[sep_file_field]]))?,\s*(?:Application\sversion:\s*(?[[sep_file_field]]))?,\s*(?:Hash\stype:\s*(?[[sep_file_field]]))?,\s*(?:Application\shash:\s*(?[[sep_file_field]]))?,\s*(?:Company\sname:\s*(?.))?,\s(?:File\ssize\s(bytes):\s*(?[[sep_file_field]]))?,\s*(?:Sensitivity:\s*(?[[sep_file_field]]))?,\s*(?:Detection\sscore:\s*(?[[sep_file_field]]))?,\s*(?:COH\sEngine\sVersion:\s*(?[[sep_file_field]]))?,\s*(?[[sep_file_field]]),\s*(?:Permitted\sapplication\sreason:\s*(?[[sep_file_field]]))?,\s*(?:Disposition:\s*(?[[sep_file_field]]))?,\s*(?:Download\ssite:\s*(?[[sep_file_field]]))?,\s*(?:Web\sdomain:\s*(?.))?,\s(?:Downloaded\sby:\s*(?[[sep_file_field]]))?,\s*(?:Prevalence:\s*(?[[sep_file_field]]))?,\s*(?:Confidence:\s*(?[[sep_file_field]]))?,\s*(?:URL\sTracking\sStatus:\s*(?[[sep_file_field]]))?,\s*(?:Risk\sLevel:\s*(?[[sep_file_field]]))?,?\s*(?:Risk\stype:\s*(?[[sep_file_field]]))?,?\s*(?:Detection\sSource:\s*(?[[sep_file_field]]))?,\s*(?:Source:\s*(?[[sep_file_field]]))?,\s*(?:Risk\sname:\s*(?[[sep_file_field]]))?,\s*(?:Occurrences:\s*(?[[sep_file_field]]))?,\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),\s*(?:Actual\saction:\s*(?[[sep_file_field]]))?,\s*(?:Requested\saction:\s*(?[[sep_file_field]]))?,\s*(?:Secondary\saction:\s*(?[[sep_file_field]]))?,\s*(?:Event\stime:\s*(?[[sep_file_field]]))?,\s*(?:Inserted:\s*(?[[sep_file_field]]))?,\s*(?:End:\s*(?[[sep_file_field]]))?,\s*(?:Domain:\s*(?[[sep_file_field]]))?,\s*(?:Group:\s*(?[[sep_file_field]]))?,\s*(?:Server:\s*(?[[sep_file_field]]))?,\s*(?[[sep_file_field]]),\s*(?:Source\scomputer:\s*(?[[sep_file_field]]))?,\s*(?:Source\sIP:\s*(?[[sep_file_field]]))?,?\s*(?:Intensive\sProtection\sLevel:\s*(?[[sep_file_field]]))?,?\s*(?:Certificate\sissuer:\s*(?[[sep_file_field]]))?,?\s*(?:Certificate\ssigner:\s*(?[[sep_file_field]]))?,?\s*(?:Certificate\sthumbprint:\s*(?[[sep_file_field]]))?,?\s*(?:Signing\stimestamp:\s*(?[[sep_file_field]]))?,?\s*(?:Certificate\sserial\snumber:\s*(?[[sep_file_field]]))?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I will be implementing the transforms.conf in /opt/splunk/etc/apps/Splunk_TA_symantec-ep/local as described above. My question would be, what does the props.conf need to look like in the same directory? Should it be blank or deleted completely? It appears that the props.conf that sits in the /opt/splunk/etc/apps/Splunk_TA_symantec-ep/default aligns with the naming conventions above and should work. I’m just trying to understand what should happen to the local/props.conf.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Everyone,
We are using the SEP 14.2.1 (14.2 RU1 MP1) build 4815 (14.2.4815.1101)
Installed the last Symantec Add-On, and since the Risk were not correctly tagged, I have modified the regex like this :
(you can put it on local/transforms.conf)
[field_extraction_for_agt_risk]
### Modified Regex, removed unknown tag that brokes the regex, and moved certificates tags to the end to be recognized.
REGEX = (?i)(?:[[sep_file_prefix]]),\s*(?<Risk_Action>[[sep_file_field]]),\s*(?:IP\sAddress:\s*(?<IP_Address>[[sep_file_field]]))?,\s*(?:Computer\sname:\s*(?<Computer_Name>[[sep_file_field]]))?,\s*(?:Source:\s*(?<Source>[[sep_file_field]]))?,\s*(?:Risk\sname:\s*(?<Risk_Name>[[sep_file_field]]))?,\s*(?:Occurrences:\s*(?<Occurrences>[[sep_file_field]]))?,\s*(?<file_path>[[sep_file_field]]),\s*(?<Description>[[sep_file_field]]),\s*(?:Actual\saction:\s*(?<vendor_action>[[sep_file_field]]))?,\s*(?:Requested\saction:\s*(?<Requested_Action>[[sep_file_field]]))?,\s*(?:Secondary\saction:\s*(?<Secondary_Action>[[sep_file_field]]))?,\s*(?:Event\stime:\s*(?<Event_Time>[[sep_file_field]]))?,\s*(?:Inserted:\s*(?<Event_Insert_Time>[[sep_file_field]]))?,\s*(?:End:\s*(?<End_Time>[[sep_file_field]]))?,\s*(?:Last\supdate\stime:\s*(?<Last_Update_Time>[[sep_file_field]]))?,\s*(?:Domain:\s*(?<Domain_Name>[[sep_file_field]]))?,\s*(?:Group:\s*(?<Group_Name>[[sep_file_field]]))?,\s*(?:Server:\s*(?<Server_Name>[[sep_file_field]]))?,\s*(?<user>[[sep_file_field]]),\s*(?:Source\scomputer:\s*(?<Source_Computer_Name>[[sep_file_field]]))?,\s*(?:Source\sIP:\s*(?<Source_Computer_IP>[[sep_file_field]]))?,\s*(?:Disposition:\s*(?<Disposition>[[sep_file_field]]))?,\s*(?:Download\ssite:\s*(?<Download_Site>[[sep_file_field]]))?,\s*(?:Web\sdomain:\s*(?<Web_Domain>.*))?,\s*(?:Downloaded\sby:\s*(?<Downloaded_By>[[sep_file_field]]))?,\s*(?:Prevalence:\s*(?<Prevalence>[[sep_file_field]]))?,\s*(?:Confidence:\s*(?<Confidence>[[sep_file_field]]))?,\s*(?:URL\sTracking\sStatus:\s*(?<URL_Tracking_Status>[[sep_file_field]]))?,\s*(?:First\sseen:\s*(?<First_Seen>[[sep_file_field]]))?,\s*(?:Sensitivity:\s*(?<Sensitivity>[[sep_file_field]]))?,\s*(?<Reason_For_White_Listing>[[sep_file_field]]),\s*(?:Application\shash:\s*(?<Application_Hash>[[sep_file_field]]))?,\s*(?:Hash\stype:\s*(?<Hash_Type>[[sep_file_field]]))?,\s*(?:Company\sname:\s*(?<Company_Name>.*))?,\s*(?:Application\sname:\s(?<Application_Name>[[sep_file_field]]))?,\s*(?:Application\sversion:\s*(?P<Application_Version>.*))?,\s*(?:Application\stype:\s*(?<Application_Type>[[sep_file_field]]))?,\s*(?:File\ssize\s\(bytes\):\s*(?<File_Size>[[sep_file_field]]))?(?:,\s*Category\sset:\s*(?<Category_Set>[[sep_file_field]]),\s*Category\stype:\s*(?<Category_Type>[[sep_file_field]]))?,?\s*(?:Location:\s*(?<Location>[[sep_file_field]]))?,?\s*(?:Intensive\sProtection\sLevel:\s*(?<Intensive_Protection_Level>[[sep_file_field]]))?,?\s*(?:Certificate\sissuer:\s*(?<Certificate_Issuer>[[sep_file_field]]))?,?\s*(?:Certificate\ssigner:\s*(?<Certificate_Signer>[[sep_file_field]]))?,?\s*(?:Certificate\sthumbprint:\s*(?<Certificate_Thumbprint>[[sep_file_field]]))?,?\s*(?:Signing\stimestamp:\s*(?<Signing_Timestamp>[[sep_file_field]]))?,?\s*(?:Certificate\sserial\snumber:\s*(?<Certificate_Serial_Number>[[sep_file_field]]))?
[field_extraction_for_agt_proactive]
### Modified Regex, moved certificate tags to the end like the agt_risk one.
REGEX = (?i)(?:[[sep_file_prefix]]),\s*(?<Risk_Action>[[sep_file_field]]),\s*(?:Computer\sname:\s*(?<Computer_Name>[[sep_file_field]]))?,?\s*(?:IP\sAddress:\s*(?<IP_Address>[[sep_file_field]]))?,\s*(?:Detection\stype:\s*(?<Detection_Type>[[sep_file_field]]))?,\s*(?:First\sseen:\s*(?<First_Seen>[[sep_file_field]]))?,\s*(?:Application\sname:\s*(?<Application_Name>[[sep_file_field]]))?,\s*(?:Application\stype:\s*(?<Application_Type>[[sep_file_field]]))?,\s*(?:Application\sversion:\s*(?<Application_Version>[[sep_file_field]]))?,\s*(?:Hash\stype:\s*(?<Hash_Type>[[sep_file_field]]))?,\s*(?:Application\shash:\s*(?<Application_Hash>[[sep_file_field]]))?,\s*(?:Company\sname:\s*(?<Company_Name>.*))?,\s*(?:File\ssize\s\(bytes\):\s*(?<File_Size>[[sep_file_field]]))?,\s*(?:Sensitivity:\s*(?<Sensitivity>[[sep_file_field]]))?,\s*(?:Detection\sscore:\s*(?<Detection_Score>[[sep_file_field]]))?,\s*(?:COH\sEngine\sVersion:\s*(?<COH_Engine_Version>[[sep_file_field]]))?,\s*(?<Submission_Recommendation>[[sep_file_field]]),\s*(?:Permitted\sapplication\sreason:\s*(?<Permitted_Application_Reason>[[sep_file_field]]))?,\s*(?:Disposition:\s*(?<Disposition>[[sep_file_field]]))?,\s*(?:Download\ssite:\s*(?<Download_Site>[[sep_file_field]]))?,\s*(?:Web\sdomain:\s*(?<Web_Domain>.*))?,\s*(?:Downloaded\sby:\s*(?<Downloaded_By>[[sep_file_field]]))?,\s*(?:Prevalence:\s*(?<Prevalence>[[sep_file_field]]))?,\s*(?:Confidence:\s*(?<Confidence>[[sep_file_field]]))?,\s*(?:URL\sTracking\sStatus:\s*(?<URL_Tracking_Status>[[sep_file_field]]))?,\s*(?:Risk\sLevel:\s*(?<Risk_Level>[[sep_file_field]]))?,?\s*(?:Risk\stype:\s*(?<Risk_Type>[[sep_file_field]]))?,?\s*(?:Detection\sSource:\s*(?<Detection_Source>[[sep_file_field]]))?,\s*(?:Source:\s*(?<Source>[[sep_file_field]]))?,\s*(?:Risk\sname:\s*(?<Risk_Name>[[sep_file_field]]))?,\s*(?:Occurrences:\s*(?<Occurrences>[[sep_file_field]]))?,\s*(?<file_path>[[sep_file_field]]),\s*(?<Description>[[sep_file_field]]),\s*(?:Actual\saction:\s*(?<vendor_action>[[sep_file_field]]))?,\s*(?:Requested\saction:\s*(?<Requested_Action>[[sep_file_field]]))?,\s*(?:Secondary\saction:\s*(?<Secondary_Action>[[sep_file_field]]))?,\s*(?:Event\stime:\s*(?<Event_Time>[[sep_file_field]]))?,\s*(?:Inserted:\s*(?<Event_Insert_Time>[[sep_file_field]]))?,\s*(?:End:\s*(?<End_Time>[[sep_file_field]]))?,\s*(?:Domain:\s*(?<Domain_Name>[[sep_file_field]]))?,\s*(?:Group:\s*(?<Group_Name>[[sep_file_field]]))?,\s*(?:Server:\s*(?<Server_Name>[[sep_file_field]]))?,\s*(?<user>[[sep_file_field]]),\s*(?:Source\scomputer:\s*(?<Source_Computer_Name>[[sep_file_field]]))?,\s*(?:Source\sIP:\s*(?<Source_Computer_IP>[[sep_file_field]]))?,?\s*(?:Intensive\sProtection\sLevel:\s*(?<Intensive_Protection_Level>[[sep_file_field]]))?,?\s*(?:Certificate\sissuer:\s*(?<Certificate_Issuer>[[sep_file_field]]))?,?\s*(?:Certificate\ssigner:\s*(?<Certificate_Signer>[[sep_file_field]]))?,?\s*(?:Certificate\sthumbprint:\s*(?<Certificate_Thumbprint>[[sep_file_field]]))?,?\s*(?:Signing\stimestamp:\s*(?<Signing_Timestamp>[[sep_file_field]]))?,?\s*(?:Certificate\sserial\snumber:\s*(?<Certificate_Serial_Number>[[sep_file_field]]))?
Hope this works for you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Works like a charm.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nice to hear that!
Hope this help someone else.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We took a different approach as the transforms option gave us problems when not all the fields existed all this time in the events we were getting. As such we updated the local/props.conf with the the below and haven't had any problem reported yet:
[symantec:ep:security:file]
EXTRACT-security_file_fields = \[name\]:(?P<name>.+?)\[class\]:(?P<class>.+?)\[guid\]:(?P<guid>.+?)\[deviceID\]:(?P<deviceID>.+)[\\\\](?P<deviceSN>.+?)\,
[symantec:ep:agents:db]
FIELDALIAS-user = CURRENT_LOGIN_USER AS user
FIELDALIAS-dest = COMPUTER_NAME AS dest
FIELDALIAS-ip = ip_address AS dest_ip
FIELDALIAS-dest_mac = mac_address AS dest_mac
FIELDALIAS-domain = domain_name AS dest_nt_domain
FIELDALIAS-product_ver = AGENT_VERSION AS product_version
FIELDALIAS-signature_ver = AV_REVISION AS signature_version
EVAL-vendor = "Symantec"
EVAL-product = "Endpoint Protection"
EVAL-vendor_product = "Symantec Endpoint Protection"
[symantec:ep:proactive:file]
EXTRACT-proactive_downloaded_by = Downloaded\sby\:\s(?<Downloaded_By>.*?[^\,]*)
EXTRACT-proactive_prevalance = Prevalence\:\s(?<Prevalence>.*?[^\,]*)
EXTRACT-proactive_url_track = URL\sTracking\sStatus\:\s(?<URL_Tracking_Status>.*?[^\,]*)
EXTRACT-proactive_first_seen = First\sSeen\:\s(?<First_Seen>.*?[^\,]*)
EXTRACT-proactive_sensitivity = Sensitivity\:\s(?<Sensitivity>.*?[^\,]*)
EXTRACT-proactive_app_hash = Application\shash\:\s(?<Application_Hash>.*?[^\,]*)
EXTRACT-proactive_hash_type = Hash\stype\:\s(?<Hash_Type>.*?[^\,]*)
EXTRACT-proactive_app_name = Application\sname\:\s(?<Application_Name>.*?[^\,]*)
EXTRACT-proactive_app_ver = Application\sversion\:\s(?<Application_Version>.*?[^\,]*)
EXTRACT-proactive_app_type = Application\stype\:\s(?<Application_Type>.*?[^\,]*)
EXTRACT-proactive_file_size = File\ssize\s\(bytes\)\:\s(?<File_Size>.*?[^\,]*)
EXTRACT-proactive_location = Location\:\s(?<Location>.*?[^\,]*)
EXTRACT-proactive_intensive_protection_lvl = Intensive\sProtection\sLevel\:\s(?<Intensive_Protection_Level>.*?[^\,]*)
EXTRACT-proactive_cert_issuer = Certificate\sissuer\:\s(?<Certificate_Issuer>.*?[^\,]*)
EXTRACT-proactive_cert_signer = Certificate\ssigner\:\s(?<Certificate_Signer>.*?[^\,]*)
EXTRACT-proactive_cert_thumbprint = Certificate\sthumbprint\:\s(?<Certificate_Thumbprint>.*?[^\,]*)
EXTRACT-proactive_signing_timestamp = Signing\stimestamp\:\s(?<Signing_Timestamp>.*?[^\,]*)
EXTRACT-proactive_cert_serial_no = Certificate\sserial\snumber\:\s(?<Certificate_Serial_Number>.*?[^\,]*)
EXTRACT-proactive_ip = IP\sAddress\:\s+(?<IP_Address>\d[^\,]+)
EXTRACT-proactive_comp_name = Computer\sname\:\s(?<Computer_Name>\w[^\,]+)
EXTRACT-proactive_src = Source\:\s(?<Source>\w[^\,]+)
EXTRACT-proactive_name = Risk\sname\:\s(?<Risk_Name>\w[^\,]+)
EXTRACT-proactive_occurrences = Occurrences\:\s+(?<Occurrences>\d[^\,]*)\,(?<file_path>\w[^\,]+)\,(?<Description>\w*)
EXTRACT-proactive_actual_action = Actual\saction\:\s(?<vendor_action>\w[^\,]+)
EXTRACT-proactive_requested_action = Requested\saction\:\s(?<Requested_Action>\w[^\,]+)
EXTRACT-proactive_secondary_action = Secondary\saction\:\s(?<Secondary_Action>\w[^\,]+)
EXTRACT-proactive_event_time = Event\stime\:\s(?<Event_Time>\d[^\,]+)
EXTRACT-proactive_insert_time = Inserted\:\s(?<Event_Insert_Time>\d[^\,]+)
EXTRACT-proactive_end_time = End\:\s(?<End_Time>\d[^\,]+)
EXTRACT-proactive_domain_name = Domain\:\s(?<Domain_Name>\w[^\,]+)
EXTRACT-proactive_group_name = Group\:\s(?<Group_Name>\w[^\,]+)
EXTRACT-proactive_server_name = Server\:\s(?<Server_Name>\w[^\,]+)
EXTRACT-proactive_user_name = User\:\s(?<user>\w[^\,]+)
EXTRACT-proactive_src_name = Source\scomputer\:\s(?<Source_Computer_Name>.*?[^\,]*)
EXTRACT-proactive_src_ip = Source\sIP\:\s(?<Source_Computer_IP>.*?[^\,]*)
EXTRACT-proactive_disposition = Disposition\:\s(?<Disposition>\w[^\,]+)
EXTRACT-proactive_download_site = Download\ssite\:\s(?<Download_Site>.*?[^\,]*)
EXTRACT-proactive_web_domain = Web\sdomain\:\s(?<Web_Domain>.*?[^\,]*)
EXTRACT-proactive_confidence = Confidence\:\s(?<Confidence>.*?[^\,]*)
EXTRACT-proactive_action = ^[\d\-\s\:]+\,(?<Risk_Action>.*?[^\,]*)
EXTRACT-proactive_detection_type = Detection\stype\:\s+(?<Detection_Type>.*?[^\,]*)
EXTRACT-proactive_detection_score = Detection\sscore\:\s(?<Detection_Score>.*?[^\,]*)
EXTRACT-proactive_coh_engine_ver = COH\sEngine\sVersion\:\s(?<coh_engine_version>.*?[^\,]*)\,(?<Submission_Recommendation>.*?[^\,]*)
EXTRACT-proactive_permitted_app_reason = Permitted\sapplication\sreason\:\s(?<Permitted_Application_Reason>.*?[^\,]*)
EXTRACT-proactive_risk_lvl = Risk\sLevel\:\s(?<Risk_Level>.*?[^\,]*)
EXTRACT-proactive_risk_type = Risk\stype\:\s(?<Risk_Type>.*?[^\,]*)
[symantec:ep:risk:file]
EXTRACT-risk_downloaded_by = Downloaded\sby\:\s(?<Downloaded_By>.*?[^\,]*)
EXTRACT-risk_prevalance = Prevalence\:\s(?<Prevalence>.*?[^\,]*)
EXTRACT-risk_url_track = URL\sTracking\sStatus\:\s(?<URL_Tracking_Status>.*?[^\,]*)
EXTRACT-risk_first_seen = First\sSeen\:\s(?<First_Seen>.*?[^\,]*)
EXTRACT-risk_sensitivity = Sensitivity\:\s(?<Sensitivity>.*?[^\,]*)\,(?<Reason_For_White_Listing>.*?[^\,]*)
EXTRACT-risk_app_hash = Application\shash\:\s(?<Application_Hash>.*?[^\,]*)
EXTRACT-risk_hash_type = Hash\stype\:\s(?<Hash_Type>.*?[^\,]*)
EXTRACT-risk_co_name = Company\sname\:\s(?<Company_Name>.*?[^\,]*)
EXTRACT-risk_app_name = Application\sname\:\s(?<Application_Name>.*?[^\,]*)
EXTRACT-risk_app_ver = Application\sversion\:\s(?<Application_Version>.*?[^\,]*)
EXTRACT-risk_app_type = Application\stype\:\s(?<Application_Type>.*?[^\,]*)
EXTRACT-risk_file_size = File\ssize\s\(bytes\)\:\s(?<File_Size>.*?[^\,]*)
EXTRACT-risk_cat_set = Category\sset\:\s(?<Category_Set>.*?[^\,]*)
EXTRACT-risk_cat_type = Category\stype\:\s(?<Category_Type>.*?[^\,]*)
EXTRACT-risk_location = Location\:\s(?<Location>.*?[^\,]*)
EXTRACT-risk_intensive_protection_lvl = Intensive\sProtection\sLevel\:\s(?<Intensive_Protection_Level>.*?[^\,]*)
EXTRACT-risk_cert_issuer = Certificate\sissuer\:\s(?<Certificate_Issuer>.*?[^\,]*)
EXTRACT-risk_cert_signer = Certificate\ssigner\:\s(?<Certificate_Signer>.*?[^\,]*)
EXTRACT-risk_cert_thumbprint = Certificate\sthumbprint\:\s(?<Certificate_Thumbprint>.*?[^\,]*)
EXTRACT-risk_signing_timestamp = Signing\stimestamp\:\s(?<Signing_Timestamp>.*?[^\,]*)
EXTRACT-risk_cert_serial_no = Certificate\sserial\snumber\:\s(?<Certificate_Serial_Number>.*?[^\,]*)
EXTRACT-risk_ip = IP\sAddress\:\s+(?<IP_Address>\d[^\,]+)
EXTRACT-risk_comp_name = Computer\sname\:\s(?<Computer_Name>\w[^\,]+)
EXTRACT-risk_src = Source\:\s(?<Source>\w[^\,]+)
EXTRACT-risk_name = Risk\sname\:\s(?<Risk_Name>\w[^\,]+)
EXTRACT-risk_occurrences = Occurrences\:\s+(?<Occurrences>\d[^\,]*)\,(?<file_path>\w[^\,]+)\,(?<Description>\w*)
EXTRACT-risk_actual_action = Actual\saction\:\s(?<vendor_action>\w[^\,]+)
EXTRACT-risk_requested_action = Requested\saction\:\s(?<Requested_Action>\w[^\,]+)
EXTRACT-risk_secondary_action = Secondary\saction\:\s(?<Secondary_Action>\w[^\,]+)
EXTRACT-risk_event_time = Event\stime\:\s(?<Event_Time>\d[^\,]+)
EXTRACT-risk_insert_time = Inserted\:\s(?<Event_Insert_Time>\d[^\,]+)
EXTRACT-risk_end_time = End\:\s(?<End_Time>\d[^\,]+)
EXTRACT-risk_update_time = Last\supdate\stime\:\s(?<Last_Update_Time>\d[^\,]+)
EXTRACT-risk_domain_name = Domain\:\s(?<Domain_Name>\w[^\,]+)
EXTRACT-risk_group_name = Group\:\s(?<Group_Name>\w[^\,]+)
EXTRACT-risk_server_name = Server\:\s(?<Server_Name>\w[^\,]+)
EXTRACT-risk_user_name = User\:\s(?<user>\w[^\,]+)
EXTRACT-risk_src_name = Source\scomputer\:\s(?<Source_Computer_Name>.*?[^\,]*)
EXTRACT-risk_src_ip = Source\sIP\:\s(?<Source_Computer_IP>.*?[^\,]*)
EXTRACT-risk_disposition = Disposition\:\s(?<Disposition>\w[^\,]+)
EXTRACT-risk_download_site = Download\ssite\:\s(?<Download_Site>.*?[^\,]*)
EXTRACT-risk_web_domain = Web\sdomain\:\s(?<Web_Domain>.*?[^\,]*)
EXTRACT-risk_confidence = Confidence\:\s(?<Confidence>.*?[^\,]*)
EXTRACT-risk_action = ^[\d\-\s\:]+\,(?<Risk_Action>.*?[^\,]*)
[symantec:ep:security:file]
EXTRACT-security_vendor_severity = ^[\d\-\s\:]+\,(?<vendor_severity>.*?[^\,]*)\,(?<Host_Name>\w[^\,]+)
EXTRACT-security_event_desc = Event\sDescription(.*?)(?:\"\,|\s\w+\:|\s+\[\w+\]\:)
EXTRACT-security_domain_name = Domain\:\s(?<Domain_Name>\w[^\,]+)
EXTRACT-security_location = Location\:\s(?<Location>.*?[^\,]*)
EXTRACT-security_begin_time = Begin\:\s(?<Begin_Time>\d[^\,]+)
EXTRACT-security_end_time = End\:\s(?<End_Time>\d[^\,]+)
EXTRACT-security_occurrences = Occurrences\:\s+(?<Occurrences>\d[^\,]*)
EXTRACT-security_user_name = User\:\s(?<user>\w[^\,]+)
EXTRACT-security_local_pt = Local\sPort\:\s+(?<Local_Port>\d[^\,]*)
EXTRACT-security_remote_pt = Remote\sPort\:\s+(?<Remote_Port>\d[^\,]*)
EXTRACT-security_local_ip = Local\:\s+(?<Local_Host_IP>\d[^\,]+)
EXTRACT-security_remote_name = Remote\s\Host\sName\:\s(?<Remote_Host_Name>.*?[^\,]*)
EXTRACT-security_remote_ip = Remote\sHost\sIP\:\s(?<Remote_Host_IP>\d[^\,]+)
EXTRACT-security_local_mac = Local\sHost\sMAC\:\s(?<Local_Host_MAC>\w[^\,]+)
EXTRACT-security_intrusion_url = Intrusion\sURL\:\s(?<Intrusion_URL>.*?[^\,]*)
EXTRACT-security_intrusion_payload_url = Intrusion\sPayload\sURL\:\s(?<Intrusion_Payload_URL>.*?[^\,]*)
EXTRACT-security_md5 = MD\-5\:\s(?<MD_5>.*?[^\,]*)
EXTRACT-security_sha256 = SHA\-256\:\s(?<SHA_256>.*?[^\,]*)
EXTRACT-security_signature_id = CIDS\sSignature\sID\:\s(?<CIDS_Signature_ID>.*?[^\,]*)
EXTRACT-security_signature_string = CIDS\sSignature\sstring\:\s(?<CIDS_Signature_String>.*?[^\,]*)
EXTRACT-security_signature_subid = CIDS\sSignature\sSubID\:\s(?<CIDS_Signature_SubID>.*?[^\,]*)
EXTRACT-security_app_name = Application\:\s(?<Application_Name>.*?[^\,]*)
EXTRACT-security_remote_mac = Remote\sHost\sMAC\:\s(?<Remote_Host_MAC>\d[^\,]+)\,(?<Traffic_Direction>\w[^\,]+)\,(?<Network_Protocol>\d[^\,]*)\,(?<Hack_Type>\w*)
EXTRACT-security_app_path = Application\spath\:\s(?<Application_Path>.*?[^\,]*)
EXTRACT-security_sid = \[SID\:\s(?<SID>\d[^\]]+)
EXTRACT-security_audit = Audit\:\s(?<Audit>.*?[^\,.]*)(?=.\s|\,)
EXTRACT-security_requirement = Requirement\:\s(?<Requirement1>.*?[^\,]*)\sRequirement\:\s(?<Requirement2>.*?[^\,]*)
[symantec:ep:traffic:file]
EXTRACT-traffic_vendor_severity = ^[\d\-\s\:]+\,(?<vendor_severity>.*?[^\,]*)\,(?<Host_Name>\w[^\,]+)
EXTRACT-traffic_domain_name = Domain\:\s(?<Domain_Name>\w[^\,]+)
EXTRACT-traffic_location = Location\:\s(?<Location>.*?[^\,]*)
EXTRACT-traffic_begin_time = Begin\:\s(?<Begin_Time>\d[^\,]+)
EXTRACT-traffic_end_time = End\:\s(?<End_Time>\d[^\,]+)
EXTRACT-traffic_occurrences = Occurrences\:\s+(?<Occurrences>\d[^\,]*)
EXTRACT-traffic_user_name = User\:\s(?<user>\w[^\,]+)
EXTRACT-traffic_local_pt = Local\sPort\:\s+(?<Local_Port>\d[^\,]*)
EXTRACT-traffic_remote_pt = Remote\sPort\:\s+(?<Remote_Port>\d[^\,]*)
EXTRACT-traffic_remote_name = Remote\s\Host\sName\:\s(?<Remote_Host_Name>.*?[^\,]*)
EXTRACT-traffic_remote_ip = Remote\sHost\sIP\:\s(?<Remote_Host_IP>\d[^\,]+)
EXTRACT-traffic_local_mac = Local\sHost\sMAC\:\s(?<Local_Host_MAC>\w[^\,]+)
EXTRACT-traffic_md5 = MD\-5\:\s(?<MD_5>.*?[^\,]*)
EXTRACT-traffic_sha256 = SHA\-256\:\s(?<SHA_256>.*?[^\,]*)
EXTRACT-traffic_app_name = Application\:\s(?<Application_Name>.*?[^\,]*)
EXTRACT-traffic_local_ip = Local\sHost\:\s+(?<Local_Host_IP>\d[^\,]+)
EXTRACT-traffic_remote_mac = Remote\sHost\sMAC\:\s(?<Remote_Host_MAC>\d[^\,]+)\,(?<Network_Protocol>\d[^\,]*)\,(?<Traffic_Direction>\w[^\,]+)
EXTRACT-traffic_vendor_action = Action\:\s(?<vendor_action>\w[^\,]+)
EXTRACT-traffic_rule_name = Rule\:\s(?<Rule_Name>\w[^\,]+)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This works great, thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Awesome, thanks for this.
I had to alter a few fields slightly:
110. [symantec:ep:security:file]
112. EXTRACT-security_event_desc = Event\sDescription\:\s(?<Event_Description>.[^\.]+)
121. EXTRACT-security_local_ip = Local\sHost\sIP\:\s+(?<Local_Host_IP>\d[^\,]+)
133. EXTRACT-security_remote_mac = Remote\sHost\sMAC\:\s(?<Remote_Host_MAC>\d[^\,]+)\,(?<Traffic_Direction>\w[^\,]+)\,(?<Network_Protocol>[^\,]*)\,(?<Hack_Type>\w*)
139. [symantec:ep:traffic:file]
155. EXTRACT-traffic_local_ip = Local\sHost\sIP\:\s+(?<Local_Host_IP>\d[^\,]+)
156. EXTRACT-traffic_remote_mac = Remote\sHost\sMAC\:\s(?<Remote_Host_MAC>\d[^\,]+)\,(?<Network_Protocol>\d[^\,]*)\,(?<Traffic_Direction>\w[^\,]+)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a much better idea.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@csperry my guys just deployed 14.2RU1Mp1 any idea if that one is covered by your props method? Immediately my analysts told me; symantec:ep:security:file / [field_extraction_for_agt_security] went away; the only change I saw was "Local:" went to "Local Host IP:" in the raw logs, so I tried to rig some tests with | rex but it does not seem to fix all of it, but i am only just learning. If you have any insight or an update I'll buy you a cola and conf man. I'll see if I can put your props up on the SHC after hours tonight.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@csperry; False alarm, yes props method looks good and gets our dashboards populating again; Thanks.
`
symantec:ep:security:file : EXTRACT-security_local_ip
Inline Local\sHost\sIP:\s+(?
[“Original”] Local:\s+(?\d[^\,]+)
[“No Go”] Local Host IP:\s+(?\d[^\,]+)
[“Go”] Local\sHost\sIP:\s+(?\d[^\,]+)
`
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
14.2RU1Mp1 (14.2.4814.1101).
https://support.symantec.com/us/en/article.TECH154475.html
Name Version/Build Release Date
(General Availability)
14.2.1.1 (14.2 RU1 MP1) 14.2.4814.1101 August 20, 2019
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You mean props.conf, correct?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fixed the bad file name---thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That is exactly what I meant. I just typed the wrong file name in.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for putting this together. It worked perfectly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i am using the following for my agt_risk extraction:
[field_extraction_for_agt_risk]
REGEX =(?i)(?:[[sep_file_prefix]]),\s*(?[[sep_file_field]]),\s*(?:IP\sAddress:\s*(?[[sep_file_field]]))?,\s*(?:Computer\sname:\s*(?[[sep_file_field]]))?,\s*(?:Source:\s*(?[[sep_file_field]]))?,\s*(?:Risk\sname:\s*(?[[sep_file_field]]))?,\s*(?:Occurrences:\s*(?[[sep_file_field]]))?,\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),\s*(?:Actual\saction:\s*(?[[sep_file_field]]))?,\s*(?:Requested\saction:\s*(?[[sep_file_field]]))?,\s*(?:Secondary\saction:\s*(?[[sep_file_field]]))?,\s*(?:Event\stime:\s*(?[[sep_file_field]]))?,\s*(?:Inserted:\s*(?[[sep_file_field]]))?,\s*(?:End:\s*(?[[sep_file_field]]))?,\s*(?:Last\supdate\stime:\s*(?[[sep_file_field]]))?,\s*(?:Domain:\s*(?[[sep_file_field]]))?,\s*(?:Group:\s*(?[[sep_file_field]]))?,\s*(?:Server:\s*(?[[sep_file_field]]))?,\s*(?[[sep_file_field]]),\s*(?:Source\scomputer:\s*(?[[sep_file_field]]))?,\s*(?:Source\sIP:\s*(?[[sep_file_field]]))?,\s*(?:Disposition:\s*(?[[sep_file_field]]))?,\s*(?:Download\ssite:\s*(?[[sep_file_field]]))?,\s*(?:Web\sdomain:\s*(?[[sep_file_field]]))?,\s*(?:Downloaded\sby:\s*(?[[sep_file_field]]))?,\s*(?:Prevalence:\s*(?[[sep_file_field]]))?,\s*(?:Confidence:\s*(?[[sep_file_field]]))?,\s*(?:URL\sTracking\sStatus:\s*(?[[sep_file_field]]))?,\s*(?:First\sseen:\s*(?[[sep_file_field]]))?,\s*(?:Sensitivity:\s*(?[[sep_file_field]]))?,\s*(?[[sep_file_field]]),\s*(?:Application\shash:\s*(?[[sep_file_field]]))?,\s*(?:Hash\stype:\s*(?[[sep_file_field]]))?,\s*(?:Company\sname:\s*(?.))?,\s(?:Application\sname:\s(?[[sep_file_field]]))?,\s*(?:Application\sversion:\s*(?P[[sep_file_field]]))?,\s*(?:Application\stype:\s*(?[[sep_file_field]]))?,\s*(?:File\ssize\s(bytes):\s*(?[[sep_file_field]]))?,\s*(?:Category\sset:\s*(?[[sep_file_field]]))?,\s*(?:Category\stype:\s*(?[[sep_file_field]]))?,?\s*(?:Location:\s*(?[[sep_file_field]]))?,\s*(?:Intensive\sProtection\sLevel:\s*(?[[sep_file_field]]))?,?\s*(?:Certificate\sissuer:\s*(?[[sep_file_field]]))?,?\s*(?:Certificate\ssigner:\s*(?[[sep_file_field]]))?,?\s*(?:Certificate\sthumbprint:\s*(?[[sep_file_field]]))?,?\s*(?:Signing\stimestamp:\s*(?[[sep_file_field]]))?,?\s*(?:Certificate\sserial\snumber:\s*(?[[sep_file_field]]))?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:... you'll also want to be running v 2.3.0 (latest as of this writing) of the Symantec add-on... https://splunkbase.splunk.com/app/2772/
[field_extraction_for_traffic]
REGEX = (?i)(?:[[sep_file_prefix]]),\s*(?<vendor_severity>[[sep_file_field]]),\s*(?<Host_Name>[[sep_file_field]]),\s*(?:Local Host:\s*(?<Local_Host_IP>[[sep_file_field]]))?,\s*(?:Local Port:\s*(?<Local_Port>[[sep_file_field]]))?,\s*(?:Local Host MAC:\s*(?<Local_Host_MAC>[[sep_file_field]]))?,\s*(?:Remote Host IP:\s*(?<Remote_Host_IP>[[sep_file_field]]))?,\s*(?:Remote Host Name:\s*(?<Remote_Host_Name>[[sep_file_field]]))?,\s*(?:Remote Port:\s*(?<Remote_Port>[[sep_file_field]]))?,\s*(?:Remote Host MAC:\s*(?<Remote_Host_MAC>[[sep_file_field]]))?,\s*(?<Network_Protocol>[[sep_file_field]]),\s*(?<Traffic_Direction>[[sep_file_field]]),\s*(?:Begin:\s*(?<Begin_Time>[[sep_file_field]]))?,\s*(?:End:\s*(?<End_Time>[[sep_file_field]]))?,\s*(?:Occurrences:\s*(?<Occurrences>[[sep_file_field]]))?,\s*(?:Application:\s*(?<Application_Name>[[sep_file_field]]))?,\s*(?:Rule:\s*(?<rule>[[sep_file_field]]))?,\s*(?:Location:\s*(?<Location>[[sep_file_field]]))?,\s*(?:User:\s*(?<user>[[sep_file_field]]))?,\s*(?:Domain:\s*(?<Domain_Name>[[sep_file_field]]))?,\s*(?:Action:\s*(?<vendor_action>[[sep_file_field]]))?,\s*(?:SHA-256:\s*(?<SHA_256>[[sep_file_field]]))?,\s*(?:MD-5:\s*(?<MD_5>[[sep_file_field]]))?
[field_extraction_for_agt_security]
REGEX = (?i)(?:[[sep_file_prefix]]),\s*(?<vendor_severity>[[sep_file_field]]),\s*(?<Host_Name>[[sep_file_field]]),\s*(?:Event Description:\s*(?<Event_Description>[[sep_file_field]])),\s*(?:Local:\s*(?<Local_Host_IP>[[sep_file_field]]))?,\s*(?:Local Host MAC:\s*(?<Local_Host_MAC>[[sep_file_field]]))?,\s*(?:Remote Host Name:\s*(?<Remote_Host_Name>[[sep_file_field]]))?,\s*(?:Remote Host IP:\s*(?<Remote_Host_IP>[[sep_file_field]]))?,\s*(?:Remote Host MAC:\s*(?<Remote_Host_MAC>[[sep_file_field]]))?,\s*(?<Traffic_Direction>[[sep_file_field]]),\s*(?<Network_Protocol>[[sep_file_field]]),\s*(?<Hack_Type>[[sep_file_field]]),\s*(?:Begin:\s*(?<Begin_Time>[[sep_file_field]]))?,\s*(?:End:\s*(?<End_Time>[[sep_file_field]]))?,\s*(?:Occurrences:\s*(?<Occurrences>[[sep_file_field]]))?,\s*(?:Application:\s*(?<Application_Name>[[sep_file_field]]))?,\s*(?:Location:\s*(?<Location>[[sep_file_field]]))?,\s*(?:User:\s*(?<user>[[sep_file_field]])),\s*(?:Domain:\s*(?<Domain_Name>[[sep_file_field]]))?,\s*(?:Local\sPort\s*(?<Local_Port>[[sep_file_field]]))?,\s*(?:Remote\sPort\s*(?<Remote_Port>[[sep_file_field]]))?,\s*(?:CIDS\sSignature\sID:\s*(?<CIDS_Signature_ID>[[sep_file_field]]))?,\s*(?:CIDS\sSignature\sstring:\s*(?<CIDS_Signature_String>[[sep_file_field]]))?,\s*(?:CIDS\sSignature\sSubID:\s*(?<CIDS_Signature_SubID>[[sep_file_field]]))?,\s*(?:Intrusion\sURL:\s*(?<Intrusion_URL>[[sep_file_field]]))?,\s*(?:Intrusion\sPayload\sURL:\s*(?<Intrusion_Payload_URL>[[sep_file_field]]))?,?\s*(?:SHA-256:\s*(?<SHA_256>[[sep_file_field]]))?,?\s*(?:MD-5:\s*(?<MD_5>[[sep_file_field]]))?
[field_extraction_for_agt_risk]
REGEX = (?i)(?:[[sep_file_prefix]]),\s*(?<Risk_Action>[[sep_file_field]]),\s*(?:IP\sAddress:\s*(?<IP_Address>[[sep_file_field]]))?,\s*(?:Computer\sname:\s*(?<Computer_Name>[^,']*'[^']*'|[^,"]*"[^"]*|[^,]*))?,\s*(?:Source:\s*(?<Source>[[sep_file_field]]))?,\s*(?:Risk\sname:\s*(?<Risk_Name>[[sep_file_field]]))?,\s*(?:Occurrences:\s*(?<Occurrences>[[sep_file_field]]))?,\s*(?<file_path>[[sep_file_field]]),\s*(?<Description>[[sep_file_field]]),\s*(?:Actual\saction:\s*(?<vendor_action>[[sep_file_field]]))?,\s*(?:Requested\saction:\s*(?<Requested_Action>[[sep_file_field]]))?,\s*(?:Secondary\saction:\s*(?<Secondary_Action>[[sep_file_field]]))?,\s*(?:Event\stime:\s*(?<Event_Time>[[sep_file_field]]))?,s*(?:Inserted:\s*(?<Event_Insert_Time>[[sep_file_field]]))?,\s*(?:End:\s*(?<End_Time>[[sep_file_field]]))?,\s*(?:Last\supdate\stime:\s*(?<Last_Update_Time>[[sep_file_field]]))?,\s*(?:Domain:\s*(?<Domain_Name>[[sep_file_field]]))?,\s*(?:Group:\s*(?<Group_Name>[[sep_file_field]]))?,\s*(?:Server:\s*(?<Server_Name>[[sep_file_field]]))?,\s*(?:User:\s*(?<user>[[sep_file_field]])),\s*(?:Source\scomputer:\s*(?<Source_Computer_Name>[[sep_file_field]]))?,\s*(?:Source\sIP:\s*(?<Source_Computer_IP>[[sep_file_field]]))?,\s*(?:Disposition:\s*(?<Disposition>[[sep_file_field]]))?,\s*(?:Download\ssite:\s*(?<Download_Site>[[sep_file_field]]))?,\s*(?:Web\sdomain:\s*(?<Web_Domain>.*))?,\s*(?:Downloaded\sby:\s*(?<Downloaded_By>[[sep_file_field]]))?,\s*(?:Prevalence:\s*(?<Prevalence>[[sep_file_field]]))?,\s*(?:Confidence:\s*(?<Confidence>[[sep_file_field]]))?,\s*(?:URL\sTracking\sStatus:\s*(?<URL_Tracking_Status>[[sep_file_field]]))?,\s*(?:First\sseen:\s*(?<First_Seen>[[sep_file_field]]))?,\s*(?:Sensitivity:\s*(?<Sensitivity>[[sep_file_field]]))?,\s*(?<Reason_For_White_Listing>[[sep_file_field]]),\s*(?:Application\shash:\s*(?<Application_Hash>[[sep_file_field]]))?,\s*(?:Hash\stype:\s*(?<Hash_Type>[[sep_file_field]]))?,\s*(?:Company\sname:\s*(?<Company_Name>.*))?,\s*(?:Application\sname:\s(?<Application_Name>[[sep_file_field]]))?,\s*(?:Application\sversion:\s*(?P<Application_Version>.*))?,\s*(?:Application\stype:\s*(?<Application_Type>[[sep_file_field]]))?,\s*(?:File\ssize\s\(bytes\):\s*(?<File_Size>[[sep_file_field]]))?(?:,\s*Category\sset:\s*(?<Category_Set>[[sep_file_field]]),\s*Category\stype:\s*(?<Category_Type>[[sep_file_field]]))?,?\s*(?:Location:\s*(?<Location>[[sep_file_field]]))?,?\s*(?:Intensive\sProtection\sLevel:\s*(?<Intensive_Protection_Level>[[sep_file_field]]))?,?\s*(?:Certificate\sissuer:\s*(?<Certificate_Issuer>[[sep_file_field]]))?,?\s*(?:Certificate\ssigner:\s*(?<Certificate_Signer>[[sep_file_field]]))?,?\s*(?:Certificate\sthumbprint:\s*(?<Certificate_Thumbprint>[[sep_file_field]]))?,?\s*(?:Signing\stimestamp:\s*(?<Signing_Timestamp>[[sep_file_field]]))?,?\s*(?:Certificate\sserial\snumber:\s*(?<Certificate_Serial_Number>[[sep_file_field]]))?
[field_extraction_for_agt_behavior]
REGEX = ^(?i)(?:[[sep_file_prefix]]),\s*(?<vendor_severity>[[sep_file_field]]),\s*(?<Host_Name>[[sep_file_field]]),?\s*(?<IP_Address>[[sep_file_field]])?,\s*(?<vendor_action>[[sep_file_field]]),\s*(?<Description>[[sep_file_field]]),\s*(?<API>[[sep_file_field]]),\s*(?:Begin:\s*(?<Begin_Time>[[sep_file_field]]))?,\s*(?:End:\s*(?<End_Time>[[sep_file_field]]))?,\s*(?:Rule:\s*(?<rule>[[sep_file_field]])),\s*(?<Caller_Process_ID>[[sep_file_field]]),\s*(?<Caller_Process_Name>[[sep_file_field]]),\s*(?<Return_Address>[[sep_file_field]]),\s*(?<Return_Module>[[sep_file_field]]),\s*(?<Parameter>[[sep_file_field]]),\s*(?:User:\s*(?<user>[[sep_file_field]])),\s*(?:Domain:\s*(?<Domain_Name>[[sep_file_field]]))?,\s*(?:Action\sType:\s*(?<Action_Type>[[sep_file_field]]))?(?:,\s*File\ssize\s\(bytes\):\s*(?<File_Size>[[sep_file_field]]),\s*Device\sID:\s*(?<Device_ID>[[sep_file_field]]))?$
[field_extraction_for_agt_proactive]
REGEX = (?i)(?:[[sep_file_prefix]]),\s*(?<Risk_Action>[[sep_file_field]]),\s*(?:Computer\sname:\s*(?<Computer_Name>[[sep_file_field]]))?,?\s*(?:IP\sAddress:\s*(?<IP_Address>[[sep_file_field]]))?,\s*(?:Detection\stype:\s*(?<Detection_Type>[[sep_file_field]]))?,\s*(?:First\sseen:\s*(?<First_Seen>[[sep_file_field]]))?,\s*(?:Application\sname:\s*(?<Application_Name>[[sep_file_field]]))?,\s*(?:Application\stype:\s*(?<Application_Type>[[sep_file_field]]))?,\s*(?:Application\sversion:\s*(?<Application_Version>[[sep_file_field]]))?,\s*(?:Hash\stype:\s*(?<Hash_Type>[[sep_file_field]]))?,\s*(?:Application\shash:\s*(?<Application_Hash>[[sep_file_field]]))?,\s*(?:Company\sname:\s*(?<Company_Name>.*))?,\s*(?:File\ssize\s\(bytes\):\s*(?<File_Size>[[sep_file_field]]))?,\s*(?:Sensitivity:\s*(?<Sensitivity>[[sep_file_field]]))?,\s*(?:Detection\sscore:\s*(?<Detection_Score>[[sep_file_field]]))?,\s*(?:COH\sEngine\sVersion:\s*(?<COH_Engine_Version>[[sep_file_field]]))?,\s*(?<Submission_Recommendation>[[sep_file_field]]),\s*(?:Permitted\sapplication\sreason:\s*(?<Permitted_Application_Reason>[[sep_file_field]]))?,\s*(?:Disposition:\s*(?<Disposition>[[sep_file_field]]))?,\s*(?:Download\ssite:\s*(?<Download_Site>[[sep_file_field]]))?,\s*(?:Web\sdomain:\s*(?<Web_Domain>.*))?,\s*(?:Downloaded\sby:\s*(?<Downloaded_By>[[sep_file_field]]))?,\s*(?:Prevalence:\s*(?<Prevalence>[[sep_file_field]]))?,\s*(?:Confidence:\s*(?<Confidence>[[sep_file_field]]))?,\s*(?:URL\sTracking\sStatus:\s*(?<URL_Tracking_Status>[[sep_file_field]]))?,\s*(?:Risk\sLevel:\s*(?<Risk_Level>[[sep_file_field]]))?,?\s*(?:Risk\stype:\s*(?<Risk_Type>[[sep_file_field]]))?,?\s*(?:Detection\sSource:\s*(?<Detection_Source>[[sep_file_field]]))?,\s*(?:Source:\s*(?<Source>[[sep_file_field]]))?,\s*(?:Risk\sname:\s*(?<Risk_Name>[[sep_file_field]]))?,\s*(?:Occurrences:\s*(?<Occurrences>[[sep_file_field]]))?,\s*(?<file_path>[[sep_file_field]]),\s*(?<Description>[[sep_file_field]]),\s*(?:Actual\saction:\s*(?<vendor_action>[[sep_file_field]]))?,\s*(?:Requested\saction:\s*(?<Requested_Action>[[sep_file_field]]))?,\s*(?:Secondary\saction:\s*(?<Secondary_Action>[[sep_file_field]]))?,\s*(?:Event\stime:\s*(?<Event_Time>[[sep_file_field]]))?,\s*(?:Inserted:\s*(?<Event_Insert_Time>[[sep_file_field]]))?,\s*(?:End:\s*(?<End_Time>[[sep_file_field]]))?,\s*(?:Domain:\s*(?<Domain_Name>[[sep_file_field]]))?,\s*(?:Group:\s*(?<Group_Name>[[sep_file_field]]))?,\s*(?:Server:\s*(?<Server_Name>[[sep_file_field]]))?,\s*(?<user>[[sep_file_field]]),\s*(?:Source\scomputer:\s*(?<Source_Computer_Name>[[sep_file_field]]))?,\s*(?:Source\sIP:\s*(?<Source_Computer_IP>[[sep_file_field]]))?,?\s*(?:Intensive\sProtection\sLevel:\s*(?<Intensive_Protection_Level>[[sep_file_field]]))?,?\s*(?:Certificate\sissuer:\s*(?<Certificate_Issuer>[[sep_file_field]]))?,?\s*(?:Certificate\ssigner:\s*(?<Certificate_Signer>[[sep_file_field]]))?,?\s*(?:Certificate\sthumbprint:\s*(?<Certificate_Thumbprint>[[sep_file_field]]))?,?\s*(?:Signing\stimestamp:\s*(?<Signing_Timestamp>[[sep_file_field]]))?,?\s*(?:Certificate\sserial\snumber:\s*(?<Certificate_Serial_Number>[[sep_file_field]]))?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So far worked in dev with a one-shot; looking good for prod;Thank you for sharing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, this worked for me
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This worked for me as well. In Splunk Cloud - updated the configuration via the webui and refreshed the searches. Thank you.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
