All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Add-on for Symantec Endpoint Protection extracting wrong field values

jwalzerpitt
Influencer
‎11-10-2017 08:25 AM

While reviewing the sourcetype=symantec:ep:security:file events, I noticed that values from fields are not being extracted correctly. I'm seeing things like files (C:/PROGRAM FILES (X86)/GOOGLE/CHROME/APPLICATION/CHROME.EXE) lsted under user, time listed under Application_Name, protocol listed under Begin_Time, etc.

Are there any plans to fix this, or can I modify the transforms.conf file to fix the issues?

Thx

Reply

jwalzerpitt
Influencer
‎11-17-2017 07:06 AM

I believe I have figured out the issue. After digging into the events there were two fields not being extracted, SHA256 and MD5. here's a snippet of one event:

2017-11-17 08:43:45,Major,systemname,SHA-256: ,MD-5: ,Denial of Service 'Smurf' attack detected. Description: A Smurf attack occurs when a hacker spoofs your system's IP address and then broadcasts a ping request to several subnets. The resulting deluge of ping responses ties up your system as well as the various network subnets pinged.

Looking at /data/splunk/etc/apps/Splunk_TA_symantec-ep/transforms.conf, the stanza for_agt_security is as follows:

[field_extraction_for_agt_security]
# The regular expression consists of repeated shorter regex in below form:
#               (?<FILED_NAME>[[sep_file_field]])
# All those regex are joined by ",\s*" which is a comma actually.
# The [[sep_file_field]] is referring modular regex "sep_file_field". Refer to Splunk Documentation for detail about modular regex.

REGEX = (?:[[sep_file_preifx]]),\s*(?<vendor_severity>[[sep_file_field]]),\s*(?<Host_Name>[[sep_file_field]]),\s*(?<Event_Description>[[sep_file_field]]),\s*(?<Local_Host_IP>[[sep_file_field]]),\s*(?<Local_Hos
t_MAC>[[sep_file_field]]),\s*(?<Remote_Host_Name>[[sep_file_field]]),\s*(?<Remote_Host_IP>[[sep_file_field]]),\s*(?<Remote_Host_MAC>[[sep_file_field]]),\s*(?<Traffic_Direction>[[sep_file_field]]),\s*(?<Network_
Protocol>[[sep_file_field]]),\s*(?<Hack_Type>[[sep_file_field]]),\s*(?<Begin_Time>[[sep_file_field]]),\s*(?<End_Time>[[sep_file_field]]),\s*(?<Occurrences>[[sep_file_field]]),\s*(?<Application_Name>[[sep_file_f
ield]]),\s*(?<Location>[[sep_file_field]]),\s*(?<user>[[sep_file_field]]),\s*(?<Domain_Name>[[sep_file_field]]),\s*(?<Local_Port>[[sep_file_field]]),\s*(?<Remote_Port>[[sep_file_field]]),\s*(?<CIDS_Signature_ID
>[[sep_file_field]]),\s*(?<CIDS_Signature_String>[[sep_file_field]]),\s*(?<CIDS_Signature_SubID>[[sep_file_field]]),\s*(?<Intrusion_URL>[[sep_file_field]]),\s*(?<Intrusion_Payload_URL>[[sep_file_field]])

I modified that to as follows:

REGEX = (?:[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<vendor_severity>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Host_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<HASHSHA1>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<
HASHMD5>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Event_Description>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Local_Host_IP>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Local_Host_MAC>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]
*),\s*(?<Remote_Host_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Remote_Host_IP>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Remote_Host_MAC>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Traffic_Direction>[^,']*'[^']*
'|[^,"]*"[^"]*"|[^,]*),\s*(?<Network_Protocol>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Hack_Type>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Begin_Time>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<End_Time>[^,']*'[^']
*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Occurrences>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Application_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Location>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<user>[^,']*'[^']*'|
[^,"]*"[^"]*"|[^,]*),\s*(?<Domain_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Local_Port>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Remote_Port>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<CIDS_Signature_ID>[^,']*'
[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<CIDS_Signature_String>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<CIDS_Signature_SubID>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Intrusion_URL>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s
*(?<Intrusion_Payload_URL>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*)

I then modified the stanza [symantec:ep:security:file] in /data/splunk/etc/apps/Splunk_TA_symantec-ep/props.conf adding the following right above the line # For the case: "User Name: user1,user2":

EVAL-HASHSHA1 = nullif(replace(HASHSHA1, "[^:]+:\s*(.*)", "\1"),"")
EVAL-HASHMD5 = nullif(replace(HASHMD5, "[^:]+:\s*(.*)", "\1"),"")

I ran a new search and the fields are now being extracted correctly.

I know I modified the conf file in the default directory, but I'm assuming the next update to the Add-on (hopefully soon) will fix the issue permanently.

Thx

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...