All Apps and Add-ons

The add-on for Symantec Endpoint Protection (https://splunkbase.splunk.com/app/2772/) is not extracting the fields by default. version 3.0.0

dkolekar_splunk
Splunk Employee
Splunk Employee

We are using splunk add-on for Symantec Endpoint Protection version 3.0.0
We noticed that the fields are not getting extracted automatically for the following sourcetype.

  • symantec:ep:risk:file
  • symantec:ep:security:file
  • symantec:ep:traffic:file
  • symantec:ep:packet:file
  • symantec:ep:proactive:file
  • symantec:ep:agt_system:file
  • symantec:ep:scm_system:file
  • symantec:ep:agent:file
  • symantec:ep:scan:file
  • symantec:ep:admin:file
  • symantec:ep:policy:file
1 Solution

dkolekar_splunk
Splunk Employee
Splunk Employee

This is a known issue reported in ADDON-21970.
The solution is as below:
On Search head:
- Please find below new_props.conf and new_transforms.conf
- Take a backup of the add-on's local directory.
- Put new_props.conf and new_transforms.conf in the App's local directory.
- Merge the new_props.conf & new_transform.conf configuration with existing ones. (For safer side, keep the backup of existing ones.)
- Rename it as props.conf & transforms.conf
- Restart Splunk.
- Verify the extraction.

transform.conf

[field_extraction_for_agt_system]
REGEX = (?i)(?:[[sep_file_prefix]]),\s*(?<vendor_severity>[[sep_file_field]]),\s*(?<Host_Name>[[sep_file_field]]),\s*(?:Category:\s*(?<Category>[[sep_file_field]]))?,\s*(?<Event_Source>[[sep_file_field]]),\s*(?<Event_Description>\"[^"]*\"|[^,]*)(,\s*(?:Group(\sName)?:\s*(?<Group_Name>[[sep_file_field]])))?
# (?i)(?:\s*'[^']*'|\s*"[^"]*"|\s*[^,]*),\s*(?<vendor_severity>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Host_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?:Category:\s*(?<Category>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?,\s*(?<Event_Source>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Event_Description>.*)

[field_extraction_for_scm_system]
REGEX = (?i)(?:[[sep_file_prefix]]),\s*(?<vendor_severity>[[sep_file_field]]),\s*(?:Site:\s*(?<Site_Name>[[sep_file_field]]))?,\s*(?:Server(\sName)?:\s*(?<Server_Name>[[sep_file_field]]))?,\s*(?<Event_Description>[[sep_file_field]])

[field_extraction_for_agent_act]
REGEX = (?i)(?:[[sep_file_prefix]]),\s*(?:Site:\s*(?P<Site_Name>[[sep_file_field]]))?,\s*(?:Server(\sName)?:\s*(?P<Server_Name>[[sep_file_field]]))?,\s*(?:Domain(\sName)?:\s*(?P<Domain>[[sep_file_field]]))?,\s*(?P<Event_Description>[[sep_file_field]]),\s*(?P<Host_Name>[[sep_file_field]]),\s*(?P<user>[[sep_file_field]]),\s*(?P<Domain_Name>[[sep_file_field]])
# (?i)(?:\s*'[^']*'|\s*"[^"]*"|\s*[^,]*),\s*(?:Site:\s*(?P<Site_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?,\s*(?:Server:\s*(?P<Server_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?,\s*(?:Domain:\s*(?P<Domain>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?,\s*(?P<Event_Description>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?P<Host_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?P<user>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?P<Domain_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*)

[field_extraction_for_agt_behavior]
REGEX = ^(?i)(?:[[sep_file_prefix]]),\s*(?<vendor_severity>[[sep_file_field]]),\s*(?<Host_Name>[[sep_file_field]]),?\s*(?<IP_Address>[[sep_file_field]])?,\s*(?<vendor_action>[[sep_file_field]]),\s*(?<Description>[[sep_file_field]]),\s*(?<API>[[sep_file_field]]),\s*(?:Begin( Time)?:\s*(?<Begin_Time>[[sep_file_field]]))?,\s*(?:End( Time)?:\s*(?<End_Time>[[sep_file_field]]))?,\s*(?<rule>[[sep_file_field]]),\s*(?<Caller_Process_ID>[[sep_file_field]]),\s*(?<Caller_Process_Name>[[sep_file_field]]),\s*(?<Return_Address>[[sep_file_field]]),\s*(?<Return_Module>[[sep_file_field]]),\s*(?<Parameter>[[sep_file_field]]),\s*(?:User( Name)?:\s*(?<user>[[sep_file_field]])),\s*(?:Domain( Name)?:\s*(?<Domain_Name>[[sep_file_field]]))?,\s*(?:Action\sType:\s*(?<Action_Type>[[sep_file_field]]))?(?:,\s*File\ssize\s\(bytes\):\s*(?<File_Size>[[sep_file_field]]),\s*Device\sID:\s*(?<Device_ID>[[sep_file_field]]))?$

[field_extraction_for_agt_scan]
REGEX = (?i)(?:[[sep_file_prefix]]),\s*(?:Scan\sID:\s*(?<Scan_ID>[[sep_file_field]]))?,\s*(?:Begin(\sTime)?:\s*(?<Begin_Time>[[sep_file_field]]))?,\s*(?:End(\sTime)?:\s*(?<End_Time>[[sep_file_field]]))?,\s*(?<Status>[[sep_file_field]]),\s*(?:Duration\s\(seconds\):\s*(?<Duration>[[sep_file_field]]))?,\s*(?:User1:\s*(?<Client_User_1>[[sep_file_field]]))?,\s*(?:User2:\s*(?<Client_User_2>[[sep_file_field]]))?,\s*(?<Start_Message>[[sep_file_field]]),\s*(?<Stop_Message>[[sep_file_field]]),\s*(?:Command:\s*(?<Command>[[sep_file_field]]))?,\s*(?:Threats:\s*(?<Threats>[[sep_file_field]]))?,\s*(?:Infected:\s*(?<Infected_Files>[[sep_file_field]]))?,\s*(?:Total\sFiles:\s*(?<Total_Files>[[sep_file_field]]))?,\s*(?:Omitted:\s*(?<Omitted_Files>[[sep_file_field]]))?,\s*(?:Computer(\sName)?:\s*(?<Computer_Name>[[sep_file_field]]))?,\s*(?:IP\sAddress:\s*(?<IP_Address>[[sep_file_field]]))?,\s*(?:Domain(\sName)?:\s*(?<Domain_Name>[[sep_file_field]]))?,\s*(?:Group(\sName)?:\s*(?<Group_Name>[[sep_file_field]]))?,\s*(?:Server(\sName)?:\s*(?<Server_Name>[[sep_file_field]]))?

[field_extraction_start_message_stop_message]
REGEX = ,(\"[^\"]*\"|\'[^\']*\'|[^,]*),(\"[^\"]*\"|\'[^\']*\'|[^,]*),Command:
FORMAT = Start_Message::$1 Stop_Message::$2

[field_extraction_status]
REGEX = ,(\"[^\"]*\"|\'[^\']*\'|[^,]*),Duration:
FORMAT = Status::$1

[field_extraction_key_value_pairs_1]
# Regex for fields like:- "First Seen: Reputation, was not used in this detection."
REGEX = ,\"([^:,\"\']*):\s+([^\"]*)\"
FORMAT = $1::$2
CLEAN_KEYS = false

[field_extraction_key_value_pairs_2]
# Regex for fields like:- First Seen: "Reputation, was not used in this detection."
REGEX = ,([^:,\"\']*):\s+\"([^\"]*)\"
FORMAT = $1::$2
CLEAN_KEYS = false

[field_extraction_key_value_pairs_3]
# Regex for fields like:- 'First Seen: Reputation, was not used in this detection.'
REGEX = ,\'([^:,\"\']*):\s+([^\']*)\'
FORMAT = $1::$2
CLEAN_KEYS = false

[field_extraction_key_value_pairs_4]
# Regex for fields like:- First Seen: 'Reputation, was not used in this detection.'
REGEX = ,([^:,\"\']*):\s+\'([^\']*)\'
FORMAT = $1::$2
CLEAN_KEYS = false

[field_extraction_key_value_pairs_5]
# Regex for fields like:- First Seen: Reputation was not used in this detection.
REGEX = ,([^:,\"\']*):\s+([^,]*)
FORMAT = $1::$2
CLEAN_KEYS = false

[field_extraction_risk_action]
REGEX = ^[^,]*,(\"[^\"]*\"|\'[^\']*\'|[^,]*),
FORMAT = Risk_Action::$1

[field_extraction_file_path_description]
REGEX = ,([^,]*),(\"[^\"]*\"|\'[^\']*\'|[^,]*),Actual\saction:
FORMAT = file_path::$1 Description::$2

[field_extraction_agt_risk_reason_for_white_listing]
REGEX = ,(\"[^\"]*\"|\'[^\']*\'|[^,]*),Application\shash:
FORMAT = Reason_For_White_Listing::$1

[field_extraction_agt_risk_unknown_field]
REGEX = ,URL\sTracking\sStatus:\s+[^,]*,(.*),First Seen:
FORMAT = Unknown_Field::$1

[field_extraction_proactive_submission_recommendation]
REGEX = ,(\"[^\"]*\"|\'[^\']*\'|[^,]*),Permitted\sapplication\sreason:
FORMAT = Submission_Recommendation::$1


[field_extraction_for_agt_security_1]
# Regex for event format from SEP version before 14.2RU1
REGEX = (?i)^\s*[^,]*,(?<vendor_severity>\"[^\"]*\"|\'[^\']*\'|[^,]*),(?<Host_Name>\"[^\"]*\"|\'[^\']*\'|[^,]*),?(?<SHA_256>\"[^\"]*\"|\'[^\']*\'|[^,]*)?,?(?<MD_5>\"[^\"]*\"|\'[^\']*\'|[^,]*)?,(?<Event_Description>\"[^\"]*\"|\'[^\']*\'|[^,]*),Local:\s*(?<Local_Host_IP>[^,]*),Local:\s*(?<Local_Host_MAC>[^,]*),Remote:\s*(?<Remote_Host_Name>[^,]*),Remote:\s*(?<Remote_Host_IP>[^,]*),Remote:\s*(?<Remote_Host_MAC>[^,]*),(?<Traffic_Direction>\"[^\"]*\"|\'[^\']*\'|[^,]*),(?<Network_Protocol>\"[^\"]*\"|\'[^\']*\'|[^,]*),(?<Hack_Type>\"[^\"]*\"|\'[^\']*\'|[^,]*),Begin:\s*(?<Begin_Time>[^,]*),?(?:End:\s*(?<End_Time>[^,]*))?,Occurrences:\s*(?<Occurrences>[^,]*),[\"\']?Application:\s*[\"\']?(?<Application_Name>.*)[\"\']?,[\"\']?Location:\s*[\"\']?(?<Location>.*)[\"\']?,[\"\']?User:\s*[\"\']?(?<user>.*)[\"\']?,[\"\']?Domain:\s*[\"\']?(?<Domain_Name>.*)[\"\']?,Local\sPort\s+(?<Local_Port>[^,]*),Remote\sPort\s+(?<Remote_Port>[^,]*),[\"\']?CIDS\sSignature\sID:\s*[\"\']?(?<CIDS_Signature_ID>.*)[\"\']?,[\"\']?CIDS\sSignature\sstring:\s*[\"\']?(?<CIDS_Signature_String>.*)[\"\']?,[\"\']?CIDS\sSignature\sSubID:\s*[\"\']?(?<CIDS_Signature_SubID>.*)[\"\']?,[\"\']?Intrusion URL:\s*[\"\']?(?<Intrusion_URL>.*)[\"\']?,[\"\']?Intrusion\sPayload\sURL:\s*[\"\']?(?<Intrusion_Payload_URL>.*)[\"\']?

[field_extraction_for_agt_security_2]
# Regex for event format from SEP version 14.2RU1
REGEX = (?i)^\s*[^,]*,(?<vendor_severity>\"[^\"]*\"|\'[^\']*\'|[^,]*),(?<Host_Name>\"[^\"]*\"|\'[^\']*\'|[^,]*),[\"\']?Event\sDescription:\s*[\"\']?(?<Event_Description>.*)[\"\']?,Local(\sHost)?(\sIP)?:\s*(?<Local_Host_IP>[^,]*),Local\sHost\sMAC:\s*(?<Local_Host_MAC>[^,]*),Remote\sHost\sName:\s*(?<Remote_Host_Name>[^,]*),Remote\sHost\sIP:\s*(?<Remote_Host_IP>[^,]*),Remote\sHost\sMAC:\s*(?<Remote_Host_MAC>[^,]*),(?<Traffic_Direction>\"[^\"]*\"|\'[^\']*\'|[^,]*),(?<Network_Protocol>\"[^\"]*\"|\'[^\']*\'|[^,]*),?(?:[\"\']?Intrusion\sID:\s*[\"\']?(?<Hack_Type>.*)[\"\']?)?,Begin(\sTime)?:\s*(?<Begin_Time>[^,]*),?(?:End(\sTime)?:\s*(?<End_Time>[^,]*))?,Occurrences:\s*(?<Occurrences>[^,]*),[\"\']?Application(\sName)?:\s*[\"\']?(?<Application_Name>.*)[\"\']?,[\"\']?Location:\s*[\"\']?(?<Location>.*)[\"\']?,[\"\']?User(\sName)?:\s*[\"\']?(?<user>.*)[\"\']?,[\"\']?Domain(\sName)?:\s*[\"\']?(?<Domain_Name>.*)[\"\']?,Local\sPort:\s*(?<Local_Port>[^,]*),Remote\sPort:\s*(?<Remote_Port>[^,]*),[\"\']?CIDS\sSignature\sID:\s*[\"\']?(?<CIDS_Signature_ID>.*)[\"\']?,[\"\']?CIDS\sSignature\sstring:\s*[\"\']?(?<CIDS_Signature_String>.*)[\"\']?,[\"\']?CIDS\sSignature\sSubID:\s*[\"\']?(?<CIDS_Signature_SubID>.*)[\"\']?,[\"\']?Intrusion URL:\s*[\"\']?(?<Intrusion_URL>.*)[\"\']?,[\"\']?Intrusion\sPayload\sURL:\s*[\"\']?(?<Intrusion_Payload_URL>.*)[\"\']?,?(?:[\"\']?Intrusion\sID:\s*[\"\']?(?<Unknown_Field>.*)[\"\']?)?,SHA-256:\s*(?<SHA_256>[^,]*),MD-5:\s*(?<MD_5>[^,]*)


[field_extraction_for_agt_traffic_1]
# Regex for event format from SEP version before 14.2RU1
REGEX = (?i)^\s*[^,]*,(?<vendor_severity>\"[^\"]*\"|\'[^\']*\'|[^,]*),(?<Host_Name>\"[^\"]*\"|\'[^\']*\'|[^,]*),?(?:SHA-256:\s*(?<SHA_256>[^,]*))?,?(?:MD-5:\s*(?<MD_5>[^,]*))?,Local:\s*(?<Local_Host_IP>[^,]*),Local:\s*(?<Local_Port>[^,]*),Local:\s*(?<Local_Host_MAC>[^,]*),Remote:\s*(?<Remote_Host_IP>[^,]*),Remote:\s*(?<Remote_Host_Name>[^,]*),Remote:\s*(?<Remote_Port>[^,]*),Remote:\s*(?<Remote_Host_MAC>[^,]*),(?<Network_Protocol>\"[^\"]*\"|\'[^\']*\'|[^,]*),(?<Traffic_Direction>\"[^\"]*\"|\'[^\']*\'|[^,]*),Begin:\s*(?<Begin_Time>[^,]*),?(?:End:\s*(?<End_Time>[^,]*))?,Occurrences:\s*(?<Occurrences>[^,]*),[\"\']?Application:\s*[\"\']?(?<Application_Name>.*)[\"\']?,[\"\']?Rule:\s*[\"\']?(?<rule>.*)[\"\']?,[\"\']?Location:\s*[\"\']?(?<Location>.*)[\"\']?,[\"\']?User:\s*[\"\']?(?<user>.*)[\"\']?,[\"\']?Domain:\s*[\"\']?(?<Domain_Name>.*)[\"\']?,[\"\']?Action:\s*[\"\']?(?<vendor_action>.*)[\"\']?

[field_extraction_for_agt_traffic_2]
# Regex for event format from SEP version 14.2RU1
REGEX = (?i)^\s*[^,]*,(?<vendor_severity>\"[^\"]*\"|\'[^\']*\'|[^,]*),(?<Host_Name>\"[^\"]*\"|\'[^\']*\'|[^,]*),Local(\sHost)?(\sIP)?:\s*(?<Local_Host_IP>[^,]*),Local\sPort:\s*(?<Local_Port>[^,]*),Local\sHost\sMAC:\s*(?<Local_Host_MAC>[^,]*),Remote\sHost\sIP:\s*(?<Remote_Host_IP>[^,]*),Remote\sHost\sName:\s*(?<Remote_Host_Name>[^,]*),Remote\sPort:\s*(?<Remote_Port>[^,]*),Remote\sHost\sMAC:\s*(?<Remote_Host_MAC>[^,]*),(?<Network_Protocol>\"[^\"]*\"|\'[^\']*\'|[^,]*),(?<Traffic_Direction>\"[^\"]*\"|\'[^\']*\'|[^,]*),Begin(\sTime)?:\s*(?<Begin_Time>[^,]*),?(?:End(\sTime)?:\s*(?<End_Time>[^,]*))?,Occurrences:\s*(?<Occurrences>[^,]*),[\"\']?Application(\sName)?:\s*[\"\']?(?<Application_Name>.*)[\"\']?,[\"\']?Rule:\s*[\"\']?(?<rule>.*)[\"\']?,[\"\']?Location:\s*[\"\']?(?<Location>.*)[\"\']?,[\"\']?User(\sName)?:\s*[\"\']?(?<user>.*)[\"\']?,[\"\']?Domain(\sName)?:\s*[\"\']?(?<Domain_Name>.*)[\"\']?,[\"\']?Action:\s*[\"\']?(?<vendor_action>.*)[\"\']?,SHA-256:\s*(?<SHA_256>[^,]*),MD-5:\s*(?<MD_5>[^,]*)


[field_extraction_for_packet]
# Regex support events for symantec:ep:packet:file sourcetype from all SEP versions
REGEX = (?i)^\s*[^,]*,?(?<vendor_severity>\"[^\"]*\"|\'[^\']*\'|[^,]*)?,(?<Host_Name>\"[^\"]*\"|\'[^\']*\'|[^,]*),Local(\sHost)?(\sIP)?:\s*(?<Local_Host_IP>[^,]*),Local(\sPort)?:\s*(?<Local_Port>[^,]*),Remote(\sHost)?(\sIP)?:\s*(?<Remote_Host_IP>[^,]*),Remote(\sHost)?(\sName)?:\s*(?<Remote_Host_Name>[^,]*),Remote(\sPort)?:\s*(?<Remote_Port>[^,]*)(?:,Remote(\sHost)?(\sMAC)?:\s*(?<Remote_Host_MAC>[^,]*))?,?(?<Network_Protocol>\"[^\"]*\"|\'[^\']*\'|[^,]*)?,(?<Traffic_Direction>\"[^\"]*\"|\'[^\']*\'|[^,]*),[\"\']?Application:\s*[\"\']?(?<Application_Name>.*)[\"\']?,[\"\']?Action:\s*[\"\']?(?<vendor_action>.*)[\"\']?



[caller_md5_from_description]
REGEX = Caller\sMD5=\s*(\w+)




[field_extraction_for_admin]
# (?:\s*'[^']*'|\s*"[^"]*"|\s*[^,]*),\s*(?<vendor_severity>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?:Site:\s*(?<Site_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?,\s*(?:Server:\s*(?<Server_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?,\s*(?:Domain:\s*(?<Domain_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?,\s*(?:Admin:\s*(?<Admin_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?,\s*(?<Event_Description>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*)
REGEX = (?:[[sep_file_prefix]]),\s*(?<vendor_severity>[[sep_file_field]]),\s*(?:Site:\s*(?<Site_Name>[[sep_file_field]]))?,\s*(?:Server(\sName)?:\s*(?<Server_Name>[[sep_file_field]]))?,\s*(?:Domain(\sName)?:\s*(?<Domain_Name>[[sep_file_field]]))?,\s*(?:Admin:\s*(?<Admin_Name>[[sep_file_field]]))?,\s*(?<Event_Description>[[sep_file_field]])


# field_extraction_for_agt_behavior
# ^(?i)(?:\s*'[^']*'|\s*"[^"]*"|\s*[^,]*),\s*(?<vendor_severity>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Host_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),?\s*(?<IP_Address>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*)?,\s*(?<vendor_action>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Description>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<API>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?:Begin:\s*(?<Begin_Time>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?,\s*(?:End:\s*(?<End_Time>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?,\s*(?<rule>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Caller_Process_ID>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Caller_Process_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Return_Address>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Return_Module>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Parameter>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<user>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?:Domain:\s*(?<Domain_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?,\s*(?:Action\sType:\s*(?<Action_Type>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?(?:,\s*File\ssize\s\(bytes\):\s*(?<File_Size>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*Device\sID:\s*(?<Device_ID>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?$





[field_extraction_for_agt_proactive]
REGEX = (?i)(?:[[sep_file_prefix]]),\s*(?<Risk_Action>[[sep_file_field]]),\s*(?:Computer\sname:\s*(?<Computer_Name>[[sep_file_field]]))?,?\s*(?:Intensive\sProtection\sLevel:\s*(?<Intensive_Protection_Level>[[sep_file_field]]))?,?\s*(?:Certificate\sissuer:\s*(?<Certificate_Issuer>[[sep_file_field]]))?,?\s*(?:Certificate\ssigner:\s*(?<Certificate_Signer>[[sep_file_field]]))?,?\s*(?:Certificate\sthumbprint:\s*(?<Certificate_Thumbprint>[[sep_file_field]]))?,?\s*(?:Signing\stimestamp:\s*(?<Signing_Timestamp>[[sep_file_field]]))?,?\s*(?:Certificate\sserial\snumber:\s*(?<Certificate_Serial_Number>[[sep_file_field]]))?,?\s*(?:IP\sAddress:\s*(?<IP_Address>[[sep_file_field]]))?,\s*(?:Detection\stype:\s*(?<Detection_Type>[[sep_file_field]]))?,\s*(?:First\sseen:\s*(?<First_Seen>[[sep_file_field]]))?,\s*(?:Application\sname:\s*(?<Application_Name>[[sep_file_field]]))?,\s*(?:Application\stype:\s*(?<Application_Type>[[sep_file_field]]))?,\s*(?:Application\sversion:\s*(?<Application_Version>[[sep_file_field]]))?,\s*(?:Hash\stype:\s*(?<Hash_Type>[[sep_file_field]]))?,\s*(?:Application\shash:\s*(?<Application_Hash>[[sep_file_field]]))?,\s*(?:Company\sname:\s*(?<Company_Name>.*))?,\s*(?:File\ssize\s\(bytes\):\s*(?<File_Size>[[sep_file_field]]))?,\s*(?:Sensitivity:\s*(?<Sensitivity>[[sep_file_field]]))?,\s*(?:Detection\sscore:\s*(?<Detection_Score>[[sep_file_field]]))?,\s*(?:COH\sEngine\sVersion:\s*(?<COH_Engine_Version>[[sep_file_field]]))?,\s*(?<Submission_Recommendation>[[sep_file_field]]),\s*(?:Permitted\sapplication\sreason:\s*(?<Permitted_Application_Reason>[[sep_file_field]]))?,\s*(?:Disposition:\s*(?<Disposition>[[sep_file_field]]))?,\s*(?:Download\ssite:\s*(?<Download_Site>[[sep_file_field]]))?,\s*(?:Web\sdomain:\s*(?<Web_Domain>.*))?,\s*(?:Downloaded\sby:\s*(?<Downloaded_By>[[sep_file_field]]))?,\s*(?:Prevalence:\s*(?<Prevalence>[[sep_file_field]]))?,\s*(?:Confidence:\s*(?<Confidence>[[sep_file_field]]))?,\s*(?:URL\sTracking\sStatus:\s*(?<URL_Tracking_Status>[[sep_file_field]]))?,\s*(?:Risk\sLevel:\s*(?<Risk_Level>[[sep_file_field]]))?,?\s*(?:Risk\stype:\s*(?<Risk_Type>[[sep_file_field]]))?,?\s*(?:Detection\sSource:\s*(?<Detection_Source>[[sep_file_field]]))?,\s*(?:Source:\s*(?<Source>[[sep_file_field]]))?,\s*(?:Risk\sname:\s*(?<Risk_Name>[[sep_file_field]]))?,\s*(?:Occurrences:\s*(?<Occurrences>[[sep_file_field]]))?,\s*(?<file_path>[[sep_file_field]]),\s*(?<Description>[[sep_file_field]]),\s*(?:Actual\saction:\s*(?<vendor_action>[[sep_file_field]]))?,\s*(?:Requested\saction:\s*(?<Requested_Action>[[sep_file_field]]))?,\s*(?:Secondary\saction:\s*(?<Secondary_Action>[[sep_file_field]]))?,\s*(?:Event\stime:\s*(?<Event_Time>[[sep_file_field]]))?,\s*(?:Inserted:\s*(?<Event_Insert_Time>[[sep_file_field]]))?,\s*(?:End(\sTime)?:\s*(?<End_Time>[[sep_file_field]]))?,\s*(?:Domain(\sName)?:\s*(?<Domain_Name>[[sep_file_field]]))?,\s*(?:Group(\sName)?:\s*(?<Group_Name>[[sep_file_field]]))?,\s*(?:Server(\sName)?:\s*(?<Server_Name>[[sep_file_field]]))?,\s*(?<user>[[sep_file_field]]),\s*(?:Source\scomputer:\s*(?<Source_Computer_Name>[[sep_file_field]]))?,\s*(?:Source\sIP:\s*(?<Source_Computer_IP>[[sep_file_field]]))?

[field_extraction_for_policy]
REGEX = (?:[[sep_file_prefix]]),\s*(?:Site:\s*(?<Site_Name>[[sep_file_field]]))?,\s*(?:Server(\sName)?:\s(?<Server_Name>[[sep_file_field]]))?,\s*(?:Domain(\sName)?:\s*(?<Domain_Name>[[sep_file_field]]))?,\s*(?:Admin:\s*(?<Admin_Name>[[sep_file_field]]))?,\s*(?<Event_Description>[[sep_file_field]]),\s*(?<Policy_Name>[[sep_file_field]])

props.conf

[symantec:ep:agt_system:file]
# Purpose for below "EVAL": trim ' or " or key from field value.
EVAL-Event_Description = nullif(trim(trim(Event_Description, "\"'"), "Event Description: "), "")

[symantec:ep:scm_system:file]
# Purpose for below "EVAL": trim ' or " or key from field value.
EVAL-Event_Description = nullif(trim(trim(Event_Description, "\"'"), "Event Description: "), "")

[symantec:ep:risk:file]
REPORT-field_extraction_for_agt_risk = field_extraction_key_value_pairs_1, field_extraction_key_value_pairs_2, field_extraction_key_value_pairs_3, field_extraction_key_value_pairs_4, field_extraction_key_value_pairs_5, field_extraction_risk_action, field_extraction_file_path_description, field_extraction_agt_risk_reason_for_white_listing, field_extraction_agt_risk_unknown_field
FIELDALIAS-0_rename_fields_from_agt_risk_report = "Actual action" as vendor_action "Application hash" as Application_Hash "Application name" as Application_Name "Application type" as Application_Type "Application version" as Application_Version "Category set" as Category_Set "Category type" as Category_Type "Certificate issuer" as Certificate_Issuer "Certificate serial number" as Certificate_Serial_Number "Certificate signer" as Certificate_Signer "Certificate thumbprint" as Certificate_Thumbprint "Company name" as Company_Name "Computer name" as Computer_Name "Download site" as Download_Site "Downloaded by" as Downloaded_By "Event time" as Event_Time "File size (bytes)" as File_Size "First Seen" as First_Seen "Hash type" as Hash_Type "IP Address" as IP_Address "Intensive Protection Level" as Intensive_Protection_Level "Last update time" as Last_Update_Time "Requested action" as Requested_Action "Risk name" as Risk_Name "Secondary action" as Secondary_Action "Signing timestamp" as Signing_Timestamp "URL Tracking Status" as URL_Tracking_Status "Web domain" as Web_Domain
FIELDALIAS-SEP_risk_signature = "Risk name" as SEP_risk_signature
FIELDALIAS-signature = "Risk name" as signature
FIELDALIAS-file_hash = "Application hash" as file_hash
FIELDALIAS-file_hash_type = "Hash type" as file_hash_type
EVAL-src = coalesce('Source computer','Source Computer Name')
EVAL-src_ip = coalesce('Source IP','Source Computer IP')
FIELDALIAS-dest = "Computer name" as dest
FIELDALIAS-dest_ip = "IP Address" as dest_ip
EVAL-Domain_Name = coalesce('Domain','Domain Name')
EVAL-dest_nt_domain = coalesce('Domain','Domain Name')
EVAL-End_Time = coalesce('End','End Time')
EVAL-Event_Insert_Time = coalesce('Inserted','Event Insert Time')
EVAL-Group_Name = coalesce('Group','Group Name')
EVAL-Server_Name = coalesce('Server Name','Server')
EVAL-Source_Computer_Name = coalesce('Source computer','Source Computer Name')
EVAL-Source_Computer_IP = coalesce('Source IP','Source Computer IP')
EVAL-user = nullif(split(trim(replace(coalesce('User', 'User Name'), "[^:]+:\s*(.*)", "\1"), "\"'"), ","), "")

# trim the quotation marks and key from value
EVAL-Description = nullif(trim(trim(Description, "\"'"), "Description: "), "")

[symantec:ep:proactive:file]
REPORT-field_extraction_for_agt_proactive = field_extraction_key_value_pairs_1, field_extraction_key_value_pairs_2, field_extraction_key_value_pairs_3, field_extraction_key_value_pairs_4, field_extraction_key_value_pairs_5, field_extraction_risk_action, field_extraction_file_path_description, field_extraction_proactive_submission_recommendation
FIELDALIAS-0_rename_fields_from_proactive_file_report = "Computer name" as Computer_Name "IP Address" as IP_Address "Detection type" as Detection_Type "First Seen" as First_Seen  "Application name" as Application_Name "Application type" as Application_Type "Application version" as Application_Version "Hash type" as Hash_Type "Application hash" as Application_Hash "Company name" as Company_Name "File size (bytes)" as File_Size "Detection score" as Detection_Score "COH Engine Version" as COH_Engine_Version "Permitted application reason" as Permitted_Application_Reason "Download site" as Download_Site "Web domain" as Web_Domain "Downloaded by" as Downloaded_By "URL Tracking Status" as URL_Tracking_Status "Risk Level" as Risk_Level "Risk type" as Risk_Type "Detection Source" as Detection_Source "Risk name" as Risk_Name "Actual action" as vendor_action "Requested action" as Requested_Action "Secondary action" as Secondary_Action "Event time" as Event_Time "Inserted" as Event_Insert_Time "End" as End_Time "Intensive Protection Level" as Intensive_Protection_Level "Certificate issuer" as Certificate_Issuer "Certificate signer" as Certificate_Signer "Certificate thumbprint" as Certificate_Thumbprint "Signing timestamp" as Signing_Timestamp "Certificate serial number" as Certificate_Serial_Number

EVAL-Source_Computer_Name = coalesce('Source computer','Source Computer Name')
EVAL-Source_Computer_IP = coalesce('Source IP','Source Computer IP')
EVAL-Domain_Name = coalesce('Domain','Domain Name')
EVAL-Server_Name = coalesce('Server','Server Name')
EVAL-Group_Name = coalesce('Group','Group Name')
EVAL-user = coalesce('User','User Name')
FIELDALIAS-category = "Detection type" as category
FIELDALIAS-signature = "Application type" as signature
FIELDALIAS-src = "Source computer" as src
FIELDALIAS-src_ip = "Source IP" as src_ip
FIELDALIAS-dest = "Computer name" as dest
FIELDALIAS-dest_nt_domain = Domain as dest_nt_domain
FIELDALIAS-file_hash = "Application hash" as file_hash
FIELDALIAS-file_hash_type = "Hash type" as file_hash_type

##### For CIM mapping #######
EVAL-src = coalesce('Source computer','Source Computer Name')
EVAL-src_ip = coalesce('Source IP','Source Computer IP')
EVAL-dest_nt_domain = coalesce('Domain','Domain Name')

[symantec:ep:security:file]
REPORT-field_extraction_for_agt_security = field_extraction_for_agt_security_1, field_extraction_for_agt_security_2, category_from_description
EVAL-Host_Name = trim(trim(Host_Name,"\'"),"\"")
EVAL-Event_Description = trim(trim(Event_Description,"\'"),"\"")
EVAL-Intrusion_URL = trim(trim(Intrusion_URL,"\'"),"\"")

[symantec:ep:traffic:file]
REPORT-field_extraction_for_traffic = field_extraction_for_agt_traffic_1, field_extraction_for_agt_traffic_2
EVAL-Host_Name = trim(trim(Host_Name,"\'"),"\"")
EVAL-dest = if(Traffic_Direction=="Inbound", if(Host_Name=="" OR isnull(Host_Name), Local_Host_IP, trim(trim(Host_Name,"\'"),"\"")), if(Remote_Host_Name=="" OR isnull(Remote_Host_Name), Remote_Host_IP, Remote_Host_Name))
EVAL-src = if(Traffic_Direction=="Outbound", if(Host_Name=="" OR isnull(Host_Name), Local_Host_IP, trim(trim(Host_Name,"\'"),"\"")), if(Remote_Host_Name=="" OR isnull(Remote_Host_Name), Remote_Host_IP, Remote_Host_Name))

[symantec:ep:packet:file]
EVAL-Host_Name = trim(trim(Host_Name,"\'"),"\"")

[symantec:ep:scan:file]
REPORT-field_extraction_for_agt_scan = field_extraction_key_value_pairs_1, field_extraction_key_value_pairs_2, field_extraction_key_value_pairs_3, field_extraction_key_value_pairs_4, field_extraction_key_value_pairs_5, field_extraction_status, field_extraction_start_message_stop_message
FIELDALIAS-0_rename_fields_from_agt_scan_file_report = "Scan ID" as Scan_ID "Duration (seconds)" as Duration "User1" as Client_User_1 "User2" as Client_User_2 "Infected" as Infected_Files "Total files" as Total_Files "Omitted" as Omitted_Files "IP Address" as IP_Address 
EVAL-Begin_Time = coalesce('Begin','Begin Time')
EVAL-End_Time = coalesce('End','End Time')
EVAL-Computer_Name = coalesce('Computer','Computer Name')
EVAL-Domain_Name = coalesce('Domain','Domain Name')
EVAL-Group_Name = coalesce('Group','Group Name')
EVAL-Server_Name = coalesce('Server','Server Name')

EVAL-dest = coalesce('Computer','Computer Name')
EVAL-dest_nt_domain = coalesce('Domain','Domain Name')

[symantec:ep:scan:file]
EVAL-Event_Description = nullif(trim(trim(Event_Description, "\"'"), "Event Description: "), "")

View solution in original post

rriegert
New Member

I'm using the updated props\transforms files posted by dkolekar, however, I have a few questions.

-In lines 3 and 10 of transforms, are they supposed to be commented out?
-In lines 108 and 113 are those supposed to be commented out or have REGEX = in front of them?

I'm also running SEP 14 RU2 MP1, and I can't seem to get the file_name field parsed correctly, like i could with RU1. Any help with that specific extraction?

Thanks

0 Karma

goelli
Communicator

I think best idea is to file a case at Splunk support to receive the most current beta version of props/transforms. Or to wait for version 3.0.1 of the Add-On.

Best regards

0 Karma

dkolekar_splunk
Splunk Employee
Splunk Employee

This is a known issue reported in ADDON-21970.
The solution is as below:
On Search head:
- Please find below new_props.conf and new_transforms.conf
- Take a backup of the add-on's local directory.
- Put new_props.conf and new_transforms.conf in the App's local directory.
- Merge the new_props.conf & new_transform.conf configuration with existing ones. (For safer side, keep the backup of existing ones.)
- Rename it as props.conf & transforms.conf
- Restart Splunk.
- Verify the extraction.

transform.conf

[field_extraction_for_agt_system]
REGEX = (?i)(?:[[sep_file_prefix]]),\s*(?<vendor_severity>[[sep_file_field]]),\s*(?<Host_Name>[[sep_file_field]]),\s*(?:Category:\s*(?<Category>[[sep_file_field]]))?,\s*(?<Event_Source>[[sep_file_field]]),\s*(?<Event_Description>\"[^"]*\"|[^,]*)(,\s*(?:Group(\sName)?:\s*(?<Group_Name>[[sep_file_field]])))?
# (?i)(?:\s*'[^']*'|\s*"[^"]*"|\s*[^,]*),\s*(?<vendor_severity>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Host_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?:Category:\s*(?<Category>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?,\s*(?<Event_Source>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Event_Description>.*)

[field_extraction_for_scm_system]
REGEX = (?i)(?:[[sep_file_prefix]]),\s*(?<vendor_severity>[[sep_file_field]]),\s*(?:Site:\s*(?<Site_Name>[[sep_file_field]]))?,\s*(?:Server(\sName)?:\s*(?<Server_Name>[[sep_file_field]]))?,\s*(?<Event_Description>[[sep_file_field]])

[field_extraction_for_agent_act]
REGEX = (?i)(?:[[sep_file_prefix]]),\s*(?:Site:\s*(?P<Site_Name>[[sep_file_field]]))?,\s*(?:Server(\sName)?:\s*(?P<Server_Name>[[sep_file_field]]))?,\s*(?:Domain(\sName)?:\s*(?P<Domain>[[sep_file_field]]))?,\s*(?P<Event_Description>[[sep_file_field]]),\s*(?P<Host_Name>[[sep_file_field]]),\s*(?P<user>[[sep_file_field]]),\s*(?P<Domain_Name>[[sep_file_field]])
# (?i)(?:\s*'[^']*'|\s*"[^"]*"|\s*[^,]*),\s*(?:Site:\s*(?P<Site_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?,\s*(?:Server:\s*(?P<Server_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?,\s*(?:Domain:\s*(?P<Domain>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?,\s*(?P<Event_Description>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?P<Host_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?P<user>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?P<Domain_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*)

[field_extraction_for_agt_behavior]
REGEX = ^(?i)(?:[[sep_file_prefix]]),\s*(?<vendor_severity>[[sep_file_field]]),\s*(?<Host_Name>[[sep_file_field]]),?\s*(?<IP_Address>[[sep_file_field]])?,\s*(?<vendor_action>[[sep_file_field]]),\s*(?<Description>[[sep_file_field]]),\s*(?<API>[[sep_file_field]]),\s*(?:Begin( Time)?:\s*(?<Begin_Time>[[sep_file_field]]))?,\s*(?:End( Time)?:\s*(?<End_Time>[[sep_file_field]]))?,\s*(?<rule>[[sep_file_field]]),\s*(?<Caller_Process_ID>[[sep_file_field]]),\s*(?<Caller_Process_Name>[[sep_file_field]]),\s*(?<Return_Address>[[sep_file_field]]),\s*(?<Return_Module>[[sep_file_field]]),\s*(?<Parameter>[[sep_file_field]]),\s*(?:User( Name)?:\s*(?<user>[[sep_file_field]])),\s*(?:Domain( Name)?:\s*(?<Domain_Name>[[sep_file_field]]))?,\s*(?:Action\sType:\s*(?<Action_Type>[[sep_file_field]]))?(?:,\s*File\ssize\s\(bytes\):\s*(?<File_Size>[[sep_file_field]]),\s*Device\sID:\s*(?<Device_ID>[[sep_file_field]]))?$

[field_extraction_for_agt_scan]
REGEX = (?i)(?:[[sep_file_prefix]]),\s*(?:Scan\sID:\s*(?<Scan_ID>[[sep_file_field]]))?,\s*(?:Begin(\sTime)?:\s*(?<Begin_Time>[[sep_file_field]]))?,\s*(?:End(\sTime)?:\s*(?<End_Time>[[sep_file_field]]))?,\s*(?<Status>[[sep_file_field]]),\s*(?:Duration\s\(seconds\):\s*(?<Duration>[[sep_file_field]]))?,\s*(?:User1:\s*(?<Client_User_1>[[sep_file_field]]))?,\s*(?:User2:\s*(?<Client_User_2>[[sep_file_field]]))?,\s*(?<Start_Message>[[sep_file_field]]),\s*(?<Stop_Message>[[sep_file_field]]),\s*(?:Command:\s*(?<Command>[[sep_file_field]]))?,\s*(?:Threats:\s*(?<Threats>[[sep_file_field]]))?,\s*(?:Infected:\s*(?<Infected_Files>[[sep_file_field]]))?,\s*(?:Total\sFiles:\s*(?<Total_Files>[[sep_file_field]]))?,\s*(?:Omitted:\s*(?<Omitted_Files>[[sep_file_field]]))?,\s*(?:Computer(\sName)?:\s*(?<Computer_Name>[[sep_file_field]]))?,\s*(?:IP\sAddress:\s*(?<IP_Address>[[sep_file_field]]))?,\s*(?:Domain(\sName)?:\s*(?<Domain_Name>[[sep_file_field]]))?,\s*(?:Group(\sName)?:\s*(?<Group_Name>[[sep_file_field]]))?,\s*(?:Server(\sName)?:\s*(?<Server_Name>[[sep_file_field]]))?

[field_extraction_start_message_stop_message]
REGEX = ,(\"[^\"]*\"|\'[^\']*\'|[^,]*),(\"[^\"]*\"|\'[^\']*\'|[^,]*),Command:
FORMAT = Start_Message::$1 Stop_Message::$2

[field_extraction_status]
REGEX = ,(\"[^\"]*\"|\'[^\']*\'|[^,]*),Duration:
FORMAT = Status::$1

[field_extraction_key_value_pairs_1]
# Regex for fields like:- "First Seen: Reputation, was not used in this detection."
REGEX = ,\"([^:,\"\']*):\s+([^\"]*)\"
FORMAT = $1::$2
CLEAN_KEYS = false

[field_extraction_key_value_pairs_2]
# Regex for fields like:- First Seen: "Reputation, was not used in this detection."
REGEX = ,([^:,\"\']*):\s+\"([^\"]*)\"
FORMAT = $1::$2
CLEAN_KEYS = false

[field_extraction_key_value_pairs_3]
# Regex for fields like:- 'First Seen: Reputation, was not used in this detection.'
REGEX = ,\'([^:,\"\']*):\s+([^\']*)\'
FORMAT = $1::$2
CLEAN_KEYS = false

[field_extraction_key_value_pairs_4]
# Regex for fields like:- First Seen: 'Reputation, was not used in this detection.'
REGEX = ,([^:,\"\']*):\s+\'([^\']*)\'
FORMAT = $1::$2
CLEAN_KEYS = false

[field_extraction_key_value_pairs_5]
# Regex for fields like:- First Seen: Reputation was not used in this detection.
REGEX = ,([^:,\"\']*):\s+([^,]*)
FORMAT = $1::$2
CLEAN_KEYS = false

[field_extraction_risk_action]
REGEX = ^[^,]*,(\"[^\"]*\"|\'[^\']*\'|[^,]*),
FORMAT = Risk_Action::$1

[field_extraction_file_path_description]
REGEX = ,([^,]*),(\"[^\"]*\"|\'[^\']*\'|[^,]*),Actual\saction:
FORMAT = file_path::$1 Description::$2

[field_extraction_agt_risk_reason_for_white_listing]
REGEX = ,(\"[^\"]*\"|\'[^\']*\'|[^,]*),Application\shash:
FORMAT = Reason_For_White_Listing::$1

[field_extraction_agt_risk_unknown_field]
REGEX = ,URL\sTracking\sStatus:\s+[^,]*,(.*),First Seen:
FORMAT = Unknown_Field::$1

[field_extraction_proactive_submission_recommendation]
REGEX = ,(\"[^\"]*\"|\'[^\']*\'|[^,]*),Permitted\sapplication\sreason:
FORMAT = Submission_Recommendation::$1


[field_extraction_for_agt_security_1]
# Regex for event format from SEP version before 14.2RU1
REGEX = (?i)^\s*[^,]*,(?<vendor_severity>\"[^\"]*\"|\'[^\']*\'|[^,]*),(?<Host_Name>\"[^\"]*\"|\'[^\']*\'|[^,]*),?(?<SHA_256>\"[^\"]*\"|\'[^\']*\'|[^,]*)?,?(?<MD_5>\"[^\"]*\"|\'[^\']*\'|[^,]*)?,(?<Event_Description>\"[^\"]*\"|\'[^\']*\'|[^,]*),Local:\s*(?<Local_Host_IP>[^,]*),Local:\s*(?<Local_Host_MAC>[^,]*),Remote:\s*(?<Remote_Host_Name>[^,]*),Remote:\s*(?<Remote_Host_IP>[^,]*),Remote:\s*(?<Remote_Host_MAC>[^,]*),(?<Traffic_Direction>\"[^\"]*\"|\'[^\']*\'|[^,]*),(?<Network_Protocol>\"[^\"]*\"|\'[^\']*\'|[^,]*),(?<Hack_Type>\"[^\"]*\"|\'[^\']*\'|[^,]*),Begin:\s*(?<Begin_Time>[^,]*),?(?:End:\s*(?<End_Time>[^,]*))?,Occurrences:\s*(?<Occurrences>[^,]*),[\"\']?Application:\s*[\"\']?(?<Application_Name>.*)[\"\']?,[\"\']?Location:\s*[\"\']?(?<Location>.*)[\"\']?,[\"\']?User:\s*[\"\']?(?<user>.*)[\"\']?,[\"\']?Domain:\s*[\"\']?(?<Domain_Name>.*)[\"\']?,Local\sPort\s+(?<Local_Port>[^,]*),Remote\sPort\s+(?<Remote_Port>[^,]*),[\"\']?CIDS\sSignature\sID:\s*[\"\']?(?<CIDS_Signature_ID>.*)[\"\']?,[\"\']?CIDS\sSignature\sstring:\s*[\"\']?(?<CIDS_Signature_String>.*)[\"\']?,[\"\']?CIDS\sSignature\sSubID:\s*[\"\']?(?<CIDS_Signature_SubID>.*)[\"\']?,[\"\']?Intrusion URL:\s*[\"\']?(?<Intrusion_URL>.*)[\"\']?,[\"\']?Intrusion\sPayload\sURL:\s*[\"\']?(?<Intrusion_Payload_URL>.*)[\"\']?

[field_extraction_for_agt_security_2]
# Regex for event format from SEP version 14.2RU1
REGEX = (?i)^\s*[^,]*,(?<vendor_severity>\"[^\"]*\"|\'[^\']*\'|[^,]*),(?<Host_Name>\"[^\"]*\"|\'[^\']*\'|[^,]*),[\"\']?Event\sDescription:\s*[\"\']?(?<Event_Description>.*)[\"\']?,Local(\sHost)?(\sIP)?:\s*(?<Local_Host_IP>[^,]*),Local\sHost\sMAC:\s*(?<Local_Host_MAC>[^,]*),Remote\sHost\sName:\s*(?<Remote_Host_Name>[^,]*),Remote\sHost\sIP:\s*(?<Remote_Host_IP>[^,]*),Remote\sHost\sMAC:\s*(?<Remote_Host_MAC>[^,]*),(?<Traffic_Direction>\"[^\"]*\"|\'[^\']*\'|[^,]*),(?<Network_Protocol>\"[^\"]*\"|\'[^\']*\'|[^,]*),?(?:[\"\']?Intrusion\sID:\s*[\"\']?(?<Hack_Type>.*)[\"\']?)?,Begin(\sTime)?:\s*(?<Begin_Time>[^,]*),?(?:End(\sTime)?:\s*(?<End_Time>[^,]*))?,Occurrences:\s*(?<Occurrences>[^,]*),[\"\']?Application(\sName)?:\s*[\"\']?(?<Application_Name>.*)[\"\']?,[\"\']?Location:\s*[\"\']?(?<Location>.*)[\"\']?,[\"\']?User(\sName)?:\s*[\"\']?(?<user>.*)[\"\']?,[\"\']?Domain(\sName)?:\s*[\"\']?(?<Domain_Name>.*)[\"\']?,Local\sPort:\s*(?<Local_Port>[^,]*),Remote\sPort:\s*(?<Remote_Port>[^,]*),[\"\']?CIDS\sSignature\sID:\s*[\"\']?(?<CIDS_Signature_ID>.*)[\"\']?,[\"\']?CIDS\sSignature\sstring:\s*[\"\']?(?<CIDS_Signature_String>.*)[\"\']?,[\"\']?CIDS\sSignature\sSubID:\s*[\"\']?(?<CIDS_Signature_SubID>.*)[\"\']?,[\"\']?Intrusion URL:\s*[\"\']?(?<Intrusion_URL>.*)[\"\']?,[\"\']?Intrusion\sPayload\sURL:\s*[\"\']?(?<Intrusion_Payload_URL>.*)[\"\']?,?(?:[\"\']?Intrusion\sID:\s*[\"\']?(?<Unknown_Field>.*)[\"\']?)?,SHA-256:\s*(?<SHA_256>[^,]*),MD-5:\s*(?<MD_5>[^,]*)


[field_extraction_for_agt_traffic_1]
# Regex for event format from SEP version before 14.2RU1
REGEX = (?i)^\s*[^,]*,(?<vendor_severity>\"[^\"]*\"|\'[^\']*\'|[^,]*),(?<Host_Name>\"[^\"]*\"|\'[^\']*\'|[^,]*),?(?:SHA-256:\s*(?<SHA_256>[^,]*))?,?(?:MD-5:\s*(?<MD_5>[^,]*))?,Local:\s*(?<Local_Host_IP>[^,]*),Local:\s*(?<Local_Port>[^,]*),Local:\s*(?<Local_Host_MAC>[^,]*),Remote:\s*(?<Remote_Host_IP>[^,]*),Remote:\s*(?<Remote_Host_Name>[^,]*),Remote:\s*(?<Remote_Port>[^,]*),Remote:\s*(?<Remote_Host_MAC>[^,]*),(?<Network_Protocol>\"[^\"]*\"|\'[^\']*\'|[^,]*),(?<Traffic_Direction>\"[^\"]*\"|\'[^\']*\'|[^,]*),Begin:\s*(?<Begin_Time>[^,]*),?(?:End:\s*(?<End_Time>[^,]*))?,Occurrences:\s*(?<Occurrences>[^,]*),[\"\']?Application:\s*[\"\']?(?<Application_Name>.*)[\"\']?,[\"\']?Rule:\s*[\"\']?(?<rule>.*)[\"\']?,[\"\']?Location:\s*[\"\']?(?<Location>.*)[\"\']?,[\"\']?User:\s*[\"\']?(?<user>.*)[\"\']?,[\"\']?Domain:\s*[\"\']?(?<Domain_Name>.*)[\"\']?,[\"\']?Action:\s*[\"\']?(?<vendor_action>.*)[\"\']?

[field_extraction_for_agt_traffic_2]
# Regex for event format from SEP version 14.2RU1
REGEX = (?i)^\s*[^,]*,(?<vendor_severity>\"[^\"]*\"|\'[^\']*\'|[^,]*),(?<Host_Name>\"[^\"]*\"|\'[^\']*\'|[^,]*),Local(\sHost)?(\sIP)?:\s*(?<Local_Host_IP>[^,]*),Local\sPort:\s*(?<Local_Port>[^,]*),Local\sHost\sMAC:\s*(?<Local_Host_MAC>[^,]*),Remote\sHost\sIP:\s*(?<Remote_Host_IP>[^,]*),Remote\sHost\sName:\s*(?<Remote_Host_Name>[^,]*),Remote\sPort:\s*(?<Remote_Port>[^,]*),Remote\sHost\sMAC:\s*(?<Remote_Host_MAC>[^,]*),(?<Network_Protocol>\"[^\"]*\"|\'[^\']*\'|[^,]*),(?<Traffic_Direction>\"[^\"]*\"|\'[^\']*\'|[^,]*),Begin(\sTime)?:\s*(?<Begin_Time>[^,]*),?(?:End(\sTime)?:\s*(?<End_Time>[^,]*))?,Occurrences:\s*(?<Occurrences>[^,]*),[\"\']?Application(\sName)?:\s*[\"\']?(?<Application_Name>.*)[\"\']?,[\"\']?Rule:\s*[\"\']?(?<rule>.*)[\"\']?,[\"\']?Location:\s*[\"\']?(?<Location>.*)[\"\']?,[\"\']?User(\sName)?:\s*[\"\']?(?<user>.*)[\"\']?,[\"\']?Domain(\sName)?:\s*[\"\']?(?<Domain_Name>.*)[\"\']?,[\"\']?Action:\s*[\"\']?(?<vendor_action>.*)[\"\']?,SHA-256:\s*(?<SHA_256>[^,]*),MD-5:\s*(?<MD_5>[^,]*)


[field_extraction_for_packet]
# Regex support events for symantec:ep:packet:file sourcetype from all SEP versions
REGEX = (?i)^\s*[^,]*,?(?<vendor_severity>\"[^\"]*\"|\'[^\']*\'|[^,]*)?,(?<Host_Name>\"[^\"]*\"|\'[^\']*\'|[^,]*),Local(\sHost)?(\sIP)?:\s*(?<Local_Host_IP>[^,]*),Local(\sPort)?:\s*(?<Local_Port>[^,]*),Remote(\sHost)?(\sIP)?:\s*(?<Remote_Host_IP>[^,]*),Remote(\sHost)?(\sName)?:\s*(?<Remote_Host_Name>[^,]*),Remote(\sPort)?:\s*(?<Remote_Port>[^,]*)(?:,Remote(\sHost)?(\sMAC)?:\s*(?<Remote_Host_MAC>[^,]*))?,?(?<Network_Protocol>\"[^\"]*\"|\'[^\']*\'|[^,]*)?,(?<Traffic_Direction>\"[^\"]*\"|\'[^\']*\'|[^,]*),[\"\']?Application:\s*[\"\']?(?<Application_Name>.*)[\"\']?,[\"\']?Action:\s*[\"\']?(?<vendor_action>.*)[\"\']?



[caller_md5_from_description]
REGEX = Caller\sMD5=\s*(\w+)




[field_extraction_for_admin]
# (?:\s*'[^']*'|\s*"[^"]*"|\s*[^,]*),\s*(?<vendor_severity>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?:Site:\s*(?<Site_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?,\s*(?:Server:\s*(?<Server_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?,\s*(?:Domain:\s*(?<Domain_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?,\s*(?:Admin:\s*(?<Admin_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?,\s*(?<Event_Description>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*)
REGEX = (?:[[sep_file_prefix]]),\s*(?<vendor_severity>[[sep_file_field]]),\s*(?:Site:\s*(?<Site_Name>[[sep_file_field]]))?,\s*(?:Server(\sName)?:\s*(?<Server_Name>[[sep_file_field]]))?,\s*(?:Domain(\sName)?:\s*(?<Domain_Name>[[sep_file_field]]))?,\s*(?:Admin:\s*(?<Admin_Name>[[sep_file_field]]))?,\s*(?<Event_Description>[[sep_file_field]])


# field_extraction_for_agt_behavior
# ^(?i)(?:\s*'[^']*'|\s*"[^"]*"|\s*[^,]*),\s*(?<vendor_severity>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Host_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),?\s*(?<IP_Address>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*)?,\s*(?<vendor_action>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Description>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<API>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?:Begin:\s*(?<Begin_Time>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?,\s*(?:End:\s*(?<End_Time>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?,\s*(?<rule>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Caller_Process_ID>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Caller_Process_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Return_Address>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Return_Module>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Parameter>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<user>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?:Domain:\s*(?<Domain_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?,\s*(?:Action\sType:\s*(?<Action_Type>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?(?:,\s*File\ssize\s\(bytes\):\s*(?<File_Size>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*Device\sID:\s*(?<Device_ID>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?$





[field_extraction_for_agt_proactive]
REGEX = (?i)(?:[[sep_file_prefix]]),\s*(?<Risk_Action>[[sep_file_field]]),\s*(?:Computer\sname:\s*(?<Computer_Name>[[sep_file_field]]))?,?\s*(?:Intensive\sProtection\sLevel:\s*(?<Intensive_Protection_Level>[[sep_file_field]]))?,?\s*(?:Certificate\sissuer:\s*(?<Certificate_Issuer>[[sep_file_field]]))?,?\s*(?:Certificate\ssigner:\s*(?<Certificate_Signer>[[sep_file_field]]))?,?\s*(?:Certificate\sthumbprint:\s*(?<Certificate_Thumbprint>[[sep_file_field]]))?,?\s*(?:Signing\stimestamp:\s*(?<Signing_Timestamp>[[sep_file_field]]))?,?\s*(?:Certificate\sserial\snumber:\s*(?<Certificate_Serial_Number>[[sep_file_field]]))?,?\s*(?:IP\sAddress:\s*(?<IP_Address>[[sep_file_field]]))?,\s*(?:Detection\stype:\s*(?<Detection_Type>[[sep_file_field]]))?,\s*(?:First\sseen:\s*(?<First_Seen>[[sep_file_field]]))?,\s*(?:Application\sname:\s*(?<Application_Name>[[sep_file_field]]))?,\s*(?:Application\stype:\s*(?<Application_Type>[[sep_file_field]]))?,\s*(?:Application\sversion:\s*(?<Application_Version>[[sep_file_field]]))?,\s*(?:Hash\stype:\s*(?<Hash_Type>[[sep_file_field]]))?,\s*(?:Application\shash:\s*(?<Application_Hash>[[sep_file_field]]))?,\s*(?:Company\sname:\s*(?<Company_Name>.*))?,\s*(?:File\ssize\s\(bytes\):\s*(?<File_Size>[[sep_file_field]]))?,\s*(?:Sensitivity:\s*(?<Sensitivity>[[sep_file_field]]))?,\s*(?:Detection\sscore:\s*(?<Detection_Score>[[sep_file_field]]))?,\s*(?:COH\sEngine\sVersion:\s*(?<COH_Engine_Version>[[sep_file_field]]))?,\s*(?<Submission_Recommendation>[[sep_file_field]]),\s*(?:Permitted\sapplication\sreason:\s*(?<Permitted_Application_Reason>[[sep_file_field]]))?,\s*(?:Disposition:\s*(?<Disposition>[[sep_file_field]]))?,\s*(?:Download\ssite:\s*(?<Download_Site>[[sep_file_field]]))?,\s*(?:Web\sdomain:\s*(?<Web_Domain>.*))?,\s*(?:Downloaded\sby:\s*(?<Downloaded_By>[[sep_file_field]]))?,\s*(?:Prevalence:\s*(?<Prevalence>[[sep_file_field]]))?,\s*(?:Confidence:\s*(?<Confidence>[[sep_file_field]]))?,\s*(?:URL\sTracking\sStatus:\s*(?<URL_Tracking_Status>[[sep_file_field]]))?,\s*(?:Risk\sLevel:\s*(?<Risk_Level>[[sep_file_field]]))?,?\s*(?:Risk\stype:\s*(?<Risk_Type>[[sep_file_field]]))?,?\s*(?:Detection\sSource:\s*(?<Detection_Source>[[sep_file_field]]))?,\s*(?:Source:\s*(?<Source>[[sep_file_field]]))?,\s*(?:Risk\sname:\s*(?<Risk_Name>[[sep_file_field]]))?,\s*(?:Occurrences:\s*(?<Occurrences>[[sep_file_field]]))?,\s*(?<file_path>[[sep_file_field]]),\s*(?<Description>[[sep_file_field]]),\s*(?:Actual\saction:\s*(?<vendor_action>[[sep_file_field]]))?,\s*(?:Requested\saction:\s*(?<Requested_Action>[[sep_file_field]]))?,\s*(?:Secondary\saction:\s*(?<Secondary_Action>[[sep_file_field]]))?,\s*(?:Event\stime:\s*(?<Event_Time>[[sep_file_field]]))?,\s*(?:Inserted:\s*(?<Event_Insert_Time>[[sep_file_field]]))?,\s*(?:End(\sTime)?:\s*(?<End_Time>[[sep_file_field]]))?,\s*(?:Domain(\sName)?:\s*(?<Domain_Name>[[sep_file_field]]))?,\s*(?:Group(\sName)?:\s*(?<Group_Name>[[sep_file_field]]))?,\s*(?:Server(\sName)?:\s*(?<Server_Name>[[sep_file_field]]))?,\s*(?<user>[[sep_file_field]]),\s*(?:Source\scomputer:\s*(?<Source_Computer_Name>[[sep_file_field]]))?,\s*(?:Source\sIP:\s*(?<Source_Computer_IP>[[sep_file_field]]))?

[field_extraction_for_policy]
REGEX = (?:[[sep_file_prefix]]),\s*(?:Site:\s*(?<Site_Name>[[sep_file_field]]))?,\s*(?:Server(\sName)?:\s(?<Server_Name>[[sep_file_field]]))?,\s*(?:Domain(\sName)?:\s*(?<Domain_Name>[[sep_file_field]]))?,\s*(?:Admin:\s*(?<Admin_Name>[[sep_file_field]]))?,\s*(?<Event_Description>[[sep_file_field]]),\s*(?<Policy_Name>[[sep_file_field]])

props.conf

[symantec:ep:agt_system:file]
# Purpose for below "EVAL": trim ' or " or key from field value.
EVAL-Event_Description = nullif(trim(trim(Event_Description, "\"'"), "Event Description: "), "")

[symantec:ep:scm_system:file]
# Purpose for below "EVAL": trim ' or " or key from field value.
EVAL-Event_Description = nullif(trim(trim(Event_Description, "\"'"), "Event Description: "), "")

[symantec:ep:risk:file]
REPORT-field_extraction_for_agt_risk = field_extraction_key_value_pairs_1, field_extraction_key_value_pairs_2, field_extraction_key_value_pairs_3, field_extraction_key_value_pairs_4, field_extraction_key_value_pairs_5, field_extraction_risk_action, field_extraction_file_path_description, field_extraction_agt_risk_reason_for_white_listing, field_extraction_agt_risk_unknown_field
FIELDALIAS-0_rename_fields_from_agt_risk_report = "Actual action" as vendor_action "Application hash" as Application_Hash "Application name" as Application_Name "Application type" as Application_Type "Application version" as Application_Version "Category set" as Category_Set "Category type" as Category_Type "Certificate issuer" as Certificate_Issuer "Certificate serial number" as Certificate_Serial_Number "Certificate signer" as Certificate_Signer "Certificate thumbprint" as Certificate_Thumbprint "Company name" as Company_Name "Computer name" as Computer_Name "Download site" as Download_Site "Downloaded by" as Downloaded_By "Event time" as Event_Time "File size (bytes)" as File_Size "First Seen" as First_Seen "Hash type" as Hash_Type "IP Address" as IP_Address "Intensive Protection Level" as Intensive_Protection_Level "Last update time" as Last_Update_Time "Requested action" as Requested_Action "Risk name" as Risk_Name "Secondary action" as Secondary_Action "Signing timestamp" as Signing_Timestamp "URL Tracking Status" as URL_Tracking_Status "Web domain" as Web_Domain
FIELDALIAS-SEP_risk_signature = "Risk name" as SEP_risk_signature
FIELDALIAS-signature = "Risk name" as signature
FIELDALIAS-file_hash = "Application hash" as file_hash
FIELDALIAS-file_hash_type = "Hash type" as file_hash_type
EVAL-src = coalesce('Source computer','Source Computer Name')
EVAL-src_ip = coalesce('Source IP','Source Computer IP')
FIELDALIAS-dest = "Computer name" as dest
FIELDALIAS-dest_ip = "IP Address" as dest_ip
EVAL-Domain_Name = coalesce('Domain','Domain Name')
EVAL-dest_nt_domain = coalesce('Domain','Domain Name')
EVAL-End_Time = coalesce('End','End Time')
EVAL-Event_Insert_Time = coalesce('Inserted','Event Insert Time')
EVAL-Group_Name = coalesce('Group','Group Name')
EVAL-Server_Name = coalesce('Server Name','Server')
EVAL-Source_Computer_Name = coalesce('Source computer','Source Computer Name')
EVAL-Source_Computer_IP = coalesce('Source IP','Source Computer IP')
EVAL-user = nullif(split(trim(replace(coalesce('User', 'User Name'), "[^:]+:\s*(.*)", "\1"), "\"'"), ","), "")

# trim the quotation marks and key from value
EVAL-Description = nullif(trim(trim(Description, "\"'"), "Description: "), "")

[symantec:ep:proactive:file]
REPORT-field_extraction_for_agt_proactive = field_extraction_key_value_pairs_1, field_extraction_key_value_pairs_2, field_extraction_key_value_pairs_3, field_extraction_key_value_pairs_4, field_extraction_key_value_pairs_5, field_extraction_risk_action, field_extraction_file_path_description, field_extraction_proactive_submission_recommendation
FIELDALIAS-0_rename_fields_from_proactive_file_report = "Computer name" as Computer_Name "IP Address" as IP_Address "Detection type" as Detection_Type "First Seen" as First_Seen  "Application name" as Application_Name "Application type" as Application_Type "Application version" as Application_Version "Hash type" as Hash_Type "Application hash" as Application_Hash "Company name" as Company_Name "File size (bytes)" as File_Size "Detection score" as Detection_Score "COH Engine Version" as COH_Engine_Version "Permitted application reason" as Permitted_Application_Reason "Download site" as Download_Site "Web domain" as Web_Domain "Downloaded by" as Downloaded_By "URL Tracking Status" as URL_Tracking_Status "Risk Level" as Risk_Level "Risk type" as Risk_Type "Detection Source" as Detection_Source "Risk name" as Risk_Name "Actual action" as vendor_action "Requested action" as Requested_Action "Secondary action" as Secondary_Action "Event time" as Event_Time "Inserted" as Event_Insert_Time "End" as End_Time "Intensive Protection Level" as Intensive_Protection_Level "Certificate issuer" as Certificate_Issuer "Certificate signer" as Certificate_Signer "Certificate thumbprint" as Certificate_Thumbprint "Signing timestamp" as Signing_Timestamp "Certificate serial number" as Certificate_Serial_Number

EVAL-Source_Computer_Name = coalesce('Source computer','Source Computer Name')
EVAL-Source_Computer_IP = coalesce('Source IP','Source Computer IP')
EVAL-Domain_Name = coalesce('Domain','Domain Name')
EVAL-Server_Name = coalesce('Server','Server Name')
EVAL-Group_Name = coalesce('Group','Group Name')
EVAL-user = coalesce('User','User Name')
FIELDALIAS-category = "Detection type" as category
FIELDALIAS-signature = "Application type" as signature
FIELDALIAS-src = "Source computer" as src
FIELDALIAS-src_ip = "Source IP" as src_ip
FIELDALIAS-dest = "Computer name" as dest
FIELDALIAS-dest_nt_domain = Domain as dest_nt_domain
FIELDALIAS-file_hash = "Application hash" as file_hash
FIELDALIAS-file_hash_type = "Hash type" as file_hash_type

##### For CIM mapping #######
EVAL-src = coalesce('Source computer','Source Computer Name')
EVAL-src_ip = coalesce('Source IP','Source Computer IP')
EVAL-dest_nt_domain = coalesce('Domain','Domain Name')

[symantec:ep:security:file]
REPORT-field_extraction_for_agt_security = field_extraction_for_agt_security_1, field_extraction_for_agt_security_2, category_from_description
EVAL-Host_Name = trim(trim(Host_Name,"\'"),"\"")
EVAL-Event_Description = trim(trim(Event_Description,"\'"),"\"")
EVAL-Intrusion_URL = trim(trim(Intrusion_URL,"\'"),"\"")

[symantec:ep:traffic:file]
REPORT-field_extraction_for_traffic = field_extraction_for_agt_traffic_1, field_extraction_for_agt_traffic_2
EVAL-Host_Name = trim(trim(Host_Name,"\'"),"\"")
EVAL-dest = if(Traffic_Direction=="Inbound", if(Host_Name=="" OR isnull(Host_Name), Local_Host_IP, trim(trim(Host_Name,"\'"),"\"")), if(Remote_Host_Name=="" OR isnull(Remote_Host_Name), Remote_Host_IP, Remote_Host_Name))
EVAL-src = if(Traffic_Direction=="Outbound", if(Host_Name=="" OR isnull(Host_Name), Local_Host_IP, trim(trim(Host_Name,"\'"),"\"")), if(Remote_Host_Name=="" OR isnull(Remote_Host_Name), Remote_Host_IP, Remote_Host_Name))

[symantec:ep:packet:file]
EVAL-Host_Name = trim(trim(Host_Name,"\'"),"\"")

[symantec:ep:scan:file]
REPORT-field_extraction_for_agt_scan = field_extraction_key_value_pairs_1, field_extraction_key_value_pairs_2, field_extraction_key_value_pairs_3, field_extraction_key_value_pairs_4, field_extraction_key_value_pairs_5, field_extraction_status, field_extraction_start_message_stop_message
FIELDALIAS-0_rename_fields_from_agt_scan_file_report = "Scan ID" as Scan_ID "Duration (seconds)" as Duration "User1" as Client_User_1 "User2" as Client_User_2 "Infected" as Infected_Files "Total files" as Total_Files "Omitted" as Omitted_Files "IP Address" as IP_Address 
EVAL-Begin_Time = coalesce('Begin','Begin Time')
EVAL-End_Time = coalesce('End','End Time')
EVAL-Computer_Name = coalesce('Computer','Computer Name')
EVAL-Domain_Name = coalesce('Domain','Domain Name')
EVAL-Group_Name = coalesce('Group','Group Name')
EVAL-Server_Name = coalesce('Server','Server Name')

EVAL-dest = coalesce('Computer','Computer Name')
EVAL-dest_nt_domain = coalesce('Domain','Domain Name')

[symantec:ep:scan:file]
EVAL-Event_Description = nullif(trim(trim(Event_Description, "\"'"), "Event Description: "), "")

View solution in original post

.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!