All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Add-on for Symantec Endpoint Protection: Canned field extractions not working

alexlomas
Path Finder
‎07-30-2015 06:10 AM

I found that the canned extractions for [field_extraction_for_agt_risk] and [field_extraction_for_agt_behavior] were not working with Splunk 6.2.3 and SEP manager v 12.1.4104.4130.

It looks like the last couple of fields for each were missing, in my case that's category_set, category_type, File_Size & Device_ID. I modified the regexes as below to make the last two fields optional. The pre-built dashboards now work correctly. I don't know if "something" is wrong in the versions, regexes, or logfiles themeselves, but if the developer sees this perhaps they can comment 🙂

[field_extraction_for_agt_behavior]
REGEX = (\s*'[^']*'|\s*[^,]*)(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1})?
FORMAT = Severity::$2 Host_Name::$3 Action::$4 Description::$5 API::$6 Begin_Time::$7 End_Time::$8 Rule_Name::$9 Caller_Process_ID::$10 Caller_Process_Name::$11 Return_Address::$12 Return_Module::$13 Parameter::$14 User_Name::$15 Domain_Name::$16 Action_Type::$17 File_Size::$18 Device_ID::$19

[field_extraction_for_agt_risk]
REGEX = (\s*'[^']*'|\s*"[^"]*"|\s*[^,]*)(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1},Application\sversion:\s(.*),Application\stype:([^,]*)(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1})?
FORMAT = Risk_Action::$2 IP_Address::$3 Computer_Name::$4 Source::$5 Risk_Name::$6 Occurrences::$7 File_Path::$8 Description::$9 Actual_Action::$10 Requested_Action::$11 Secondary_Action::$12 Event_Time::$13 Event_Insert_Time::$14 End_Time::$15 Last_Update_Time::$16 Domain_Name::$17 Group_Name::$18 Server_Name::$19 User_Name::$20 Source_Computer_Name::$21 Source_Computer_IP::$22 Disposition::$23 Download_site::$24 Web_domain::$25 Downloaded_by::$26 Prevalence::$27 Confidence::$28 URL_Tracking_Status::$29 First_Seen::$31 Sensitivity::$32 Reason_for_white_listing::$33 Application_Hash::$34 Hash_Type::$35 Company_Name::$36 Application_Name::$37 Application_Version::$38 Application_Type::$39 File_Size::$40 Category_set::$41 Category_type::$42
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mreynov_splunk
Splunk Employee
Splunk Employee
‎07-30-2015 02:06 PM

Alright, I guess it IS a bug and we will fix in the next release. The difference must stem from a difference in SEP configuration.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mreynov_splunk
Splunk Employee
Splunk Employee
‎07-30-2015 02:06 PM

Alright, I guess it IS a bug and we will fix in the next release. The difference must stem from a difference in SEP configuration.

0 Karma
Reply
Solved! Jump to solution

alexlomas
Path Finder
‎07-30-2015 02:08 PM

OK - let me know if you want file samples offline.

0 Karma
Reply
Solved! Jump to solution

mreynov_splunk
Splunk Employee
Splunk Employee
‎07-30-2015 02:14 PM

woud love some samples. thanks!

0 Karma
Reply
Solved! Jump to solution

alexlomas
Path Finder
‎07-31-2015 12:27 AM

Not quite sure how to mail them over - we have a support contract so if you can see me in the CRM you can pull out my email address I guess.

0 Karma
Reply
Solved! Jump to solution

mreynov_splunk
Splunk Employee
Splunk Employee
‎07-30-2015 01:53 PM

A new reply to an answer on Splunk Add-on for Symantec Endpoint Protection: Canned field extractions not working was posted by alexlomas on Splunk Answers:

Awesome - are any of the other field extractions affected?

On a semi-related topic: how is the malware lookup supposed to work? Or rather, in which reports/panels is it used?

I might have been too hasty, please respond to question below to clarify.

re: malware lookup - it is used to map to CIM category field. TA is focused on getting data into Splunk and does not come with built in visual components. If you have ES, this data will show up in Malware related dashboards.

0 Karma
Reply
Solved! Jump to solution

mreynov_splunk
Splunk Employee
Splunk Employee
‎07-30-2015 01:45 PM

To confirm: the fields were not being extracted or missing in your logs?

0 Karma
Reply
Solved! Jump to solution

alexlomas
Path Finder
‎07-30-2015 02:03 PM

The fields are not in the logs - I modified the extractions to make the last two fields for both files optional with a (?: ... )?

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top