All Apps and Add-ons

Splunk Add-on for Symantec Endpoint Protection extracting wrong field values

jwalzerpitt
Influencer

While reviewing the sourcetype=symantec:ep:security:file events, I noticed that values from fields are not being extracted correctly. I'm seeing things like files (C:/PROGRAM FILES (X86)/GOOGLE/CHROME/APPLICATION/CHROME.EXE) lsted under user, time listed under Application_Name, protocol listed under Begin_Time, etc.

Are there any plans to fix this, or can I modify the transforms.conf file to fix the issues?

Thx

jwalzerpitt
Influencer

I believe I have figured out the issue. After digging into the events there were two fields not being extracted, SHA256 and MD5. here's a snippet of one event:

2017-11-17 08:43:45,Major,systemname,SHA-256: ,MD-5: ,Denial of Service 'Smurf' attack detected. Description: A Smurf attack occurs when a hacker spoofs your system's IP address and then broadcasts a ping request to several subnets. The resulting deluge of ping responses ties up your system as well as the various network subnets pinged.

Looking at /data/splunk/etc/apps/Splunk_TA_symantec-ep/transforms.conf, the stanza for_agt_security is as follows:

[field_extraction_for_agt_security]
# The regular expression consists of repeated shorter regex in below form:
#               (?<FILED_NAME>[[sep_file_field]])
# All those regex are joined by ",\s*" which is a comma actually.
# The [[sep_file_field]] is referring modular regex "sep_file_field". Refer to Splunk Documentation for detail about modular regex.

REGEX = (?:[[sep_file_preifx]]),\s*(?<vendor_severity>[[sep_file_field]]),\s*(?<Host_Name>[[sep_file_field]]),\s*(?<Event_Description>[[sep_file_field]]),\s*(?<Local_Host_IP>[[sep_file_field]]),\s*(?<Local_Hos
t_MAC>[[sep_file_field]]),\s*(?<Remote_Host_Name>[[sep_file_field]]),\s*(?<Remote_Host_IP>[[sep_file_field]]),\s*(?<Remote_Host_MAC>[[sep_file_field]]),\s*(?<Traffic_Direction>[[sep_file_field]]),\s*(?<Network_
Protocol>[[sep_file_field]]),\s*(?<Hack_Type>[[sep_file_field]]),\s*(?<Begin_Time>[[sep_file_field]]),\s*(?<End_Time>[[sep_file_field]]),\s*(?<Occurrences>[[sep_file_field]]),\s*(?<Application_Name>[[sep_file_f
ield]]),\s*(?<Location>[[sep_file_field]]),\s*(?<user>[[sep_file_field]]),\s*(?<Domain_Name>[[sep_file_field]]),\s*(?<Local_Port>[[sep_file_field]]),\s*(?<Remote_Port>[[sep_file_field]]),\s*(?<CIDS_Signature_ID
>[[sep_file_field]]),\s*(?<CIDS_Signature_String>[[sep_file_field]]),\s*(?<CIDS_Signature_SubID>[[sep_file_field]]),\s*(?<Intrusion_URL>[[sep_file_field]]),\s*(?<Intrusion_Payload_URL>[[sep_file_field]])

I modified that to as follows:

REGEX = (?:[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<vendor_severity>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Host_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<HASHSHA1>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<
HASHMD5>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Event_Description>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Local_Host_IP>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Local_Host_MAC>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]
*),\s*(?<Remote_Host_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Remote_Host_IP>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Remote_Host_MAC>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Traffic_Direction>[^,']*'[^']*
'|[^,"]*"[^"]*"|[^,]*),\s*(?<Network_Protocol>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Hack_Type>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Begin_Time>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<End_Time>[^,']*'[^']
*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Occurrences>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Application_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Location>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<user>[^,']*'[^']*'|
[^,"]*"[^"]*"|[^,]*),\s*(?<Domain_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Local_Port>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Remote_Port>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<CIDS_Signature_ID>[^,']*'
[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<CIDS_Signature_String>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<CIDS_Signature_SubID>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Intrusion_URL>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s
*(?<Intrusion_Payload_URL>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*)

I then modified the stanza [symantec:ep:security:file] in /data/splunk/etc/apps/Splunk_TA_symantec-ep/props.conf adding the following right above the line # For the case: "User Name: user1,user2":

EVAL-HASHSHA1 = nullif(replace(HASHSHA1, "[^:]+:\s*(.*)", "\1"),"")
EVAL-HASHMD5 = nullif(replace(HASHMD5, "[^:]+:\s*(.*)", "\1"),"")

I ran a new search and the fields are now being extracted correctly.

I know I modified the conf file in the default directory, but I'm assuming the next update to the Add-on (hopefully soon) will fix the issue permanently.

Thx

Get Updates on the Splunk Community!

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...

Want to Reduce Costs, Mitigate Risk, Improve Performance, or Increase Efficiencies? ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...