All Apps and Add-ons

Splunk Add-on for Symantec Endpoint Protection extracting wrong field values

jwalzerpitt
Motivator

While reviewing the sourcetype=symantec:ep:security:file events, I noticed that values from fields are not being extracted correctly. I'm seeing things like files (C:/PROGRAM FILES (X86)/GOOGLE/CHROME/APPLICATION/CHROME.EXE) lsted under user, time listed under Application_Name, protocol listed under Begin_Time, etc.

Are there any plans to fix this, or can I modify the transforms.conf file to fix the issues?

Thx

jwalzerpitt
Motivator

I believe I have figured out the issue. After digging into the events there were two fields not being extracted, SHA256 and MD5. here's a snippet of one event:

2017-11-17 08:43:45,Major,systemname,SHA-256: ,MD-5: ,Denial of Service 'Smurf' attack detected. Description: A Smurf attack occurs when a hacker spoofs your system's IP address and then broadcasts a ping request to several subnets. The resulting deluge of ping responses ties up your system as well as the various network subnets pinged.

Looking at /data/splunk/etc/apps/Splunk_TA_symantec-ep/transforms.conf, the stanza for_agt_security is as follows:

[field_extraction_for_agt_security]
# The regular expression consists of repeated shorter regex in below form:
#               (?<FILED_NAME>[[sep_file_field]])
# All those regex are joined by ",\s*" which is a comma actually.
# The [[sep_file_field]] is referring modular regex "sep_file_field". Refer to Splunk Documentation for detail about modular regex.

REGEX = (?:[[sep_file_preifx]]),\s*(?<vendor_severity>[[sep_file_field]]),\s*(?<Host_Name>[[sep_file_field]]),\s*(?<Event_Description>[[sep_file_field]]),\s*(?<Local_Host_IP>[[sep_file_field]]),\s*(?<Local_Hos
t_MAC>[[sep_file_field]]),\s*(?<Remote_Host_Name>[[sep_file_field]]),\s*(?<Remote_Host_IP>[[sep_file_field]]),\s*(?<Remote_Host_MAC>[[sep_file_field]]),\s*(?<Traffic_Direction>[[sep_file_field]]),\s*(?<Network_
Protocol>[[sep_file_field]]),\s*(?<Hack_Type>[[sep_file_field]]),\s*(?<Begin_Time>[[sep_file_field]]),\s*(?<End_Time>[[sep_file_field]]),\s*(?<Occurrences>[[sep_file_field]]),\s*(?<Application_Name>[[sep_file_f
ield]]),\s*(?<Location>[[sep_file_field]]),\s*(?<user>[[sep_file_field]]),\s*(?<Domain_Name>[[sep_file_field]]),\s*(?<Local_Port>[[sep_file_field]]),\s*(?<Remote_Port>[[sep_file_field]]),\s*(?<CIDS_Signature_ID
>[[sep_file_field]]),\s*(?<CIDS_Signature_String>[[sep_file_field]]),\s*(?<CIDS_Signature_SubID>[[sep_file_field]]),\s*(?<Intrusion_URL>[[sep_file_field]]),\s*(?<Intrusion_Payload_URL>[[sep_file_field]])

I modified that to as follows:

REGEX = (?:[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<vendor_severity>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Host_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<HASHSHA1>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<
HASHMD5>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Event_Description>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Local_Host_IP>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Local_Host_MAC>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]
*),\s*(?<Remote_Host_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Remote_Host_IP>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Remote_Host_MAC>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Traffic_Direction>[^,']*'[^']*
'|[^,"]*"[^"]*"|[^,]*),\s*(?<Network_Protocol>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Hack_Type>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Begin_Time>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<End_Time>[^,']*'[^']
*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Occurrences>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Application_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Location>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<user>[^,']*'[^']*'|
[^,"]*"[^"]*"|[^,]*),\s*(?<Domain_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Local_Port>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Remote_Port>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<CIDS_Signature_ID>[^,']*'
[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<CIDS_Signature_String>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<CIDS_Signature_SubID>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Intrusion_URL>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s
*(?<Intrusion_Payload_URL>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*)

I then modified the stanza [symantec:ep:security:file] in /data/splunk/etc/apps/Splunk_TA_symantec-ep/props.conf adding the following right above the line # For the case: "User Name: user1,user2":

EVAL-HASHSHA1 = nullif(replace(HASHSHA1, "[^:]+:\s*(.*)", "\1"),"")
EVAL-HASHMD5 = nullif(replace(HASHMD5, "[^:]+:\s*(.*)", "\1"),"")

I ran a new search and the fields are now being extracted correctly.

I know I modified the conf file in the default directory, but I'm assuming the next update to the Add-on (hopefully soon) will fix the issue permanently.

Thx

Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...