All Apps and Add-ons

The add-on for Symantec Endpoint Protection (https://splunkbase.splunk.com/app/2772/) is not extracting the fields by default. version 3.0.0

dkolekar_splunk
Splunk Employee
Splunk Employee

We are using splunk add-on for Symantec Endpoint Protection version 3.0.0
We noticed that the fields are not getting extracted automatically for the following sourcetype.

  • symantec:ep:risk:file
  • symantec:ep:security:file
  • symantec:ep:traffic:file
  • symantec:ep:packet:file
  • symantec:ep:proactive:file
  • symantec:ep:agt_system:file
  • symantec:ep:scm_system:file
  • symantec:ep:agent:file
  • symantec:ep:scan:file
  • symantec:ep:admin:file
  • symantec:ep:policy:file
1 Solution

dkolekar_splunk
Splunk Employee
Splunk Employee

This is a known issue reported in ADDON-21970.
The solution is as below:
On Search head:
- Please find below new_props.conf and new_transforms.conf
- Take a backup of the add-on's local directory.
- Put new_props.conf and new_transforms.conf in the App's local directory.
- Merge the new_props.conf & new_transform.conf configuration with existing ones. (For safer side, keep the backup of existing ones.)
- Rename it as props.conf & transforms.conf
- Restart Splunk.
- Verify the extraction.

transform.conf

[field_extraction_for_agt_system]
REGEX = (?i)(?:[[sep_file_prefix]]),\s*(?<vendor_severity>[[sep_file_field]]),\s*(?<Host_Name>[[sep_file_field]]),\s*(?:Category:\s*(?<Category>[[sep_file_field]]))?,\s*(?<Event_Source>[[sep_file_field]]),\s*(?<Event_Description>\"[^"]*\"|[^,]*)(,\s*(?:Group(\sName)?:\s*(?<Group_Name>[[sep_file_field]])))?
# (?i)(?:\s*'[^']*'|\s*"[^"]*"|\s*[^,]*),\s*(?<vendor_severity>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Host_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?:Category:\s*(?<Category>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?,\s*(?<Event_Source>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Event_Description>.*)

[field_extraction_for_scm_system]
REGEX = (?i)(?:[[sep_file_prefix]]),\s*(?<vendor_severity>[[sep_file_field]]),\s*(?:Site:\s*(?<Site_Name>[[sep_file_field]]))?,\s*(?:Server(\sName)?:\s*(?<Server_Name>[[sep_file_field]]))?,\s*(?<Event_Description>[[sep_file_field]])

[field_extraction_for_agent_act]
REGEX = (?i)(?:[[sep_file_prefix]]),\s*(?:Site:\s*(?P<Site_Name>[[sep_file_field]]))?,\s*(?:Server(\sName)?:\s*(?P<Server_Name>[[sep_file_field]]))?,\s*(?:Domain(\sName)?:\s*(?P<Domain>[[sep_file_field]]))?,\s*(?P<Event_Description>[[sep_file_field]]),\s*(?P<Host_Name>[[sep_file_field]]),\s*(?P<user>[[sep_file_field]]),\s*(?P<Domain_Name>[[sep_file_field]])
# (?i)(?:\s*'[^']*'|\s*"[^"]*"|\s*[^,]*),\s*(?:Site:\s*(?P<Site_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?,\s*(?:Server:\s*(?P<Server_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?,\s*(?:Domain:\s*(?P<Domain>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?,\s*(?P<Event_Description>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?P<Host_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?P<user>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?P<Domain_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*)

[field_extraction_for_agt_behavior]
REGEX = ^(?i)(?:[[sep_file_prefix]]),\s*(?<vendor_severity>[[sep_file_field]]),\s*(?<Host_Name>[[sep_file_field]]),?\s*(?<IP_Address>[[sep_file_field]])?,\s*(?<vendor_action>[[sep_file_field]]),\s*(?<Description>[[sep_file_field]]),\s*(?<API>[[sep_file_field]]),\s*(?:Begin( Time)?:\s*(?<Begin_Time>[[sep_file_field]]))?,\s*(?:End( Time)?:\s*(?<End_Time>[[sep_file_field]]))?,\s*(?<rule>[[sep_file_field]]),\s*(?<Caller_Process_ID>[[sep_file_field]]),\s*(?<Caller_Process_Name>[[sep_file_field]]),\s*(?<Return_Address>[[sep_file_field]]),\s*(?<Return_Module>[[sep_file_field]]),\s*(?<Parameter>[[sep_file_field]]),\s*(?:User( Name)?:\s*(?<user>[[sep_file_field]])),\s*(?:Domain( Name)?:\s*(?<Domain_Name>[[sep_file_field]]))?,\s*(?:Action\sType:\s*(?<Action_Type>[[sep_file_field]]))?(?:,\s*File\ssize\s\(bytes\):\s*(?<File_Size>[[sep_file_field]]),\s*Device\sID:\s*(?<Device_ID>[[sep_file_field]]))?$

[field_extraction_for_agt_scan]
REGEX = (?i)(?:[[sep_file_prefix]]),\s*(?:Scan\sID:\s*(?<Scan_ID>[[sep_file_field]]))?,\s*(?:Begin(\sTime)?:\s*(?<Begin_Time>[[sep_file_field]]))?,\s*(?:End(\sTime)?:\s*(?<End_Time>[[sep_file_field]]))?,\s*(?<Status>[[sep_file_field]]),\s*(?:Duration\s\(seconds\):\s*(?<Duration>[[sep_file_field]]))?,\s*(?:User1:\s*(?<Client_User_1>[[sep_file_field]]))?,\s*(?:User2:\s*(?<Client_User_2>[[sep_file_field]]))?,\s*(?<Start_Message>[[sep_file_field]]),\s*(?<Stop_Message>[[sep_file_field]]),\s*(?:Command:\s*(?<Command>[[sep_file_field]]))?,\s*(?:Threats:\s*(?<Threats>[[sep_file_field]]))?,\s*(?:Infected:\s*(?<Infected_Files>[[sep_file_field]]))?,\s*(?:Total\sFiles:\s*(?<Total_Files>[[sep_file_field]]))?,\s*(?:Omitted:\s*(?<Omitted_Files>[[sep_file_field]]))?,\s*(?:Computer(\sName)?:\s*(?<Computer_Name>[[sep_file_field]]))?,\s*(?:IP\sAddress:\s*(?<IP_Address>[[sep_file_field]]))?,\s*(?:Domain(\sName)?:\s*(?<Domain_Name>[[sep_file_field]]))?,\s*(?:Group(\sName)?:\s*(?<Group_Name>[[sep_file_field]]))?,\s*(?:Server(\sName)?:\s*(?<Server_Name>[[sep_file_field]]))?

[field_extraction_start_message_stop_message]
REGEX = ,(\"[^\"]*\"|\'[^\']*\'|[^,]*),(\"[^\"]*\"|\'[^\']*\'|[^,]*),Command:
FORMAT = Start_Message::$1 Stop_Message::$2

[field_extraction_status]
REGEX = ,(\"[^\"]*\"|\'[^\']*\'|[^,]*),Duration:
FORMAT = Status::$1

[field_extraction_key_value_pairs_1]
# Regex for fields like:- "First Seen: Reputation, was not used in this detection."
REGEX = ,\"([^:,\"\']*):\s+([^\"]*)\"
FORMAT = $1::$2
CLEAN_KEYS = false

[field_extraction_key_value_pairs_2]
# Regex for fields like:- First Seen: "Reputation, was not used in this detection."
REGEX = ,([^:,\"\']*):\s+\"([^\"]*)\"
FORMAT = $1::$2
CLEAN_KEYS = false

[field_extraction_key_value_pairs_3]
# Regex for fields like:- 'First Seen: Reputation, was not used in this detection.'
REGEX = ,\'([^:,\"\']*):\s+([^\']*)\'
FORMAT = $1::$2
CLEAN_KEYS = false

[field_extraction_key_value_pairs_4]
# Regex for fields like:- First Seen: 'Reputation, was not used in this detection.'
REGEX = ,([^:,\"\']*):\s+\'([^\']*)\'
FORMAT = $1::$2
CLEAN_KEYS = false

[field_extraction_key_value_pairs_5]
# Regex for fields like:- First Seen: Reputation was not used in this detection.
REGEX = ,([^:,\"\']*):\s+([^,]*)
FORMAT = $1::$2
CLEAN_KEYS = false

[field_extraction_risk_action]
REGEX = ^[^,]*,(\"[^\"]*\"|\'[^\']*\'|[^,]*),
FORMAT = Risk_Action::$1

[field_extraction_file_path_description]
REGEX = ,([^,]*),(\"[^\"]*\"|\'[^\']*\'|[^,]*),Actual\saction:
FORMAT = file_path::$1 Description::$2

[field_extraction_agt_risk_reason_for_white_listing]
REGEX = ,(\"[^\"]*\"|\'[^\']*\'|[^,]*),Application\shash:
FORMAT = Reason_For_White_Listing::$1

[field_extraction_agt_risk_unknown_field]
REGEX = ,URL\sTracking\sStatus:\s+[^,]*,(.*),First Seen:
FORMAT = Unknown_Field::$1

[field_extraction_proactive_submission_recommendation]
REGEX = ,(\"[^\"]*\"|\'[^\']*\'|[^,]*),Permitted\sapplication\sreason:
FORMAT = Submission_Recommendation::$1


[field_extraction_for_agt_security_1]
# Regex for event format from SEP version before 14.2RU1
REGEX = (?i)^\s*[^,]*,(?<vendor_severity>\"[^\"]*\"|\'[^\']*\'|[^,]*),(?<Host_Name>\"[^\"]*\"|\'[^\']*\'|[^,]*),?(?<SHA_256>\"[^\"]*\"|\'[^\']*\'|[^,]*)?,?(?<MD_5>\"[^\"]*\"|\'[^\']*\'|[^,]*)?,(?<Event_Description>\"[^\"]*\"|\'[^\']*\'|[^,]*),Local:\s*(?<Local_Host_IP>[^,]*),Local:\s*(?<Local_Host_MAC>[^,]*),Remote:\s*(?<Remote_Host_Name>[^,]*),Remote:\s*(?<Remote_Host_IP>[^,]*),Remote:\s*(?<Remote_Host_MAC>[^,]*),(?<Traffic_Direction>\"[^\"]*\"|\'[^\']*\'|[^,]*),(?<Network_Protocol>\"[^\"]*\"|\'[^\']*\'|[^,]*),(?<Hack_Type>\"[^\"]*\"|\'[^\']*\'|[^,]*),Begin:\s*(?<Begin_Time>[^,]*),?(?:End:\s*(?<End_Time>[^,]*))?,Occurrences:\s*(?<Occurrences>[^,]*),[\"\']?Application:\s*[\"\']?(?<Application_Name>.*)[\"\']?,[\"\']?Location:\s*[\"\']?(?<Location>.*)[\"\']?,[\"\']?User:\s*[\"\']?(?<user>.*)[\"\']?,[\"\']?Domain:\s*[\"\']?(?<Domain_Name>.*)[\"\']?,Local\sPort\s+(?<Local_Port>[^,]*),Remote\sPort\s+(?<Remote_Port>[^,]*),[\"\']?CIDS\sSignature\sID:\s*[\"\']?(?<CIDS_Signature_ID>.*)[\"\']?,[\"\']?CIDS\sSignature\sstring:\s*[\"\']?(?<CIDS_Signature_String>.*)[\"\']?,[\"\']?CIDS\sSignature\sSubID:\s*[\"\']?(?<CIDS_Signature_SubID>.*)[\"\']?,[\"\']?Intrusion URL:\s*[\"\']?(?<Intrusion_URL>.*)[\"\']?,[\"\']?Intrusion\sPayload\sURL:\s*[\"\']?(?<Intrusion_Payload_URL>.*)[\"\']?

[field_extraction_for_agt_security_2]
# Regex for event format from SEP version 14.2RU1
REGEX = (?i)^\s*[^,]*,(?<vendor_severity>\"[^\"]*\"|\'[^\']*\'|[^,]*),(?<Host_Name>\"[^\"]*\"|\'[^\']*\'|[^,]*),[\"\']?Event\sDescription:\s*[\"\']?(?<Event_Description>.*)[\"\']?,Local(\sHost)?(\sIP)?:\s*(?<Local_Host_IP>[^,]*),Local\sHost\sMAC:\s*(?<Local_Host_MAC>[^,]*),Remote\sHost\sName:\s*(?<Remote_Host_Name>[^,]*),Remote\sHost\sIP:\s*(?<Remote_Host_IP>[^,]*),Remote\sHost\sMAC:\s*(?<Remote_Host_MAC>[^,]*),(?<Traffic_Direction>\"[^\"]*\"|\'[^\']*\'|[^,]*),(?<Network_Protocol>\"[^\"]*\"|\'[^\']*\'|[^,]*),?(?:[\"\']?Intrusion\sID:\s*[\"\']?(?<Hack_Type>.*)[\"\']?)?,Begin(\sTime)?:\s*(?<Begin_Time>[^,]*),?(?:End(\sTime)?:\s*(?<End_Time>[^,]*))?,Occurrences:\s*(?<Occurrences>[^,]*),[\"\']?Application(\sName)?:\s*[\"\']?(?<Application_Name>.*)[\"\']?,[\"\']?Location:\s*[\"\']?(?<Location>.*)[\"\']?,[\"\']?User(\sName)?:\s*[\"\']?(?<user>.*)[\"\']?,[\"\']?Domain(\sName)?:\s*[\"\']?(?<Domain_Name>.*)[\"\']?,Local\sPort:\s*(?<Local_Port>[^,]*),Remote\sPort:\s*(?<Remote_Port>[^,]*),[\"\']?CIDS\sSignature\sID:\s*[\"\']?(?<CIDS_Signature_ID>.*)[\"\']?,[\"\']?CIDS\sSignature\sstring:\s*[\"\']?(?<CIDS_Signature_String>.*)[\"\']?,[\"\']?CIDS\sSignature\sSubID:\s*[\"\']?(?<CIDS_Signature_SubID>.*)[\"\']?,[\"\']?Intrusion URL:\s*[\"\']?(?<Intrusion_URL>.*)[\"\']?,[\"\']?Intrusion\sPayload\sURL:\s*[\"\']?(?<Intrusion_Payload_URL>.*)[\"\']?,?(?:[\"\']?Intrusion\sID:\s*[\"\']?(?<Unknown_Field>.*)[\"\']?)?,SHA-256:\s*(?<SHA_256>[^,]*),MD-5:\s*(?<MD_5>[^,]*)


[field_extraction_for_agt_traffic_1]
# Regex for event format from SEP version before 14.2RU1
REGEX = (?i)^\s*[^,]*,(?<vendor_severity>\"[^\"]*\"|\'[^\']*\'|[^,]*),(?<Host_Name>\"[^\"]*\"|\'[^\']*\'|[^,]*),?(?:SHA-256:\s*(?<SHA_256>[^,]*))?,?(?:MD-5:\s*(?<MD_5>[^,]*))?,Local:\s*(?<Local_Host_IP>[^,]*),Local:\s*(?<Local_Port>[^,]*),Local:\s*(?<Local_Host_MAC>[^,]*),Remote:\s*(?<Remote_Host_IP>[^,]*),Remote:\s*(?<Remote_Host_Name>[^,]*),Remote:\s*(?<Remote_Port>[^,]*),Remote:\s*(?<Remote_Host_MAC>[^,]*),(?<Network_Protocol>\"[^\"]*\"|\'[^\']*\'|[^,]*),(?<Traffic_Direction>\"[^\"]*\"|\'[^\']*\'|[^,]*),Begin:\s*(?<Begin_Time>[^,]*),?(?:End:\s*(?<End_Time>[^,]*))?,Occurrences:\s*(?<Occurrences>[^,]*),[\"\']?Application:\s*[\"\']?(?<Application_Name>.*)[\"\']?,[\"\']?Rule:\s*[\"\']?(?<rule>.*)[\"\']?,[\"\']?Location:\s*[\"\']?(?<Location>.*)[\"\']?,[\"\']?User:\s*[\"\']?(?<user>.*)[\"\']?,[\"\']?Domain:\s*[\"\']?(?<Domain_Name>.*)[\"\']?,[\"\']?Action:\s*[\"\']?(?<vendor_action>.*)[\"\']?

[field_extraction_for_agt_traffic_2]
# Regex for event format from SEP version 14.2RU1
REGEX = (?i)^\s*[^,]*,(?<vendor_severity>\"[^\"]*\"|\'[^\']*\'|[^,]*),(?<Host_Name>\"[^\"]*\"|\'[^\']*\'|[^,]*),Local(\sHost)?(\sIP)?:\s*(?<Local_Host_IP>[^,]*),Local\sPort:\s*(?<Local_Port>[^,]*),Local\sHost\sMAC:\s*(?<Local_Host_MAC>[^,]*),Remote\sHost\sIP:\s*(?<Remote_Host_IP>[^,]*),Remote\sHost\sName:\s*(?<Remote_Host_Name>[^,]*),Remote\sPort:\s*(?<Remote_Port>[^,]*),Remote\sHost\sMAC:\s*(?<Remote_Host_MAC>[^,]*),(?<Network_Protocol>\"[^\"]*\"|\'[^\']*\'|[^,]*),(?<Traffic_Direction>\"[^\"]*\"|\'[^\']*\'|[^,]*),Begin(\sTime)?:\s*(?<Begin_Time>[^,]*),?(?:End(\sTime)?:\s*(?<End_Time>[^,]*))?,Occurrences:\s*(?<Occurrences>[^,]*),[\"\']?Application(\sName)?:\s*[\"\']?(?<Application_Name>.*)[\"\']?,[\"\']?Rule:\s*[\"\']?(?<rule>.*)[\"\']?,[\"\']?Location:\s*[\"\']?(?<Location>.*)[\"\']?,[\"\']?User(\sName)?:\s*[\"\']?(?<user>.*)[\"\']?,[\"\']?Domain(\sName)?:\s*[\"\']?(?<Domain_Name>.*)[\"\']?,[\"\']?Action:\s*[\"\']?(?<vendor_action>.*)[\"\']?,SHA-256:\s*(?<SHA_256>[^,]*),MD-5:\s*(?<MD_5>[^,]*)


[field_extraction_for_packet]
# Regex support events for symantec:ep:packet:file sourcetype from all SEP versions
REGEX = (?i)^\s*[^,]*,?(?<vendor_severity>\"[^\"]*\"|\'[^\']*\'|[^,]*)?,(?<Host_Name>\"[^\"]*\"|\'[^\']*\'|[^,]*),Local(\sHost)?(\sIP)?:\s*(?<Local_Host_IP>[^,]*),Local(\sPort)?:\s*(?<Local_Port>[^,]*),Remote(\sHost)?(\sIP)?:\s*(?<Remote_Host_IP>[^,]*),Remote(\sHost)?(\sName)?:\s*(?<Remote_Host_Name>[^,]*),Remote(\sPort)?:\s*(?<Remote_Port>[^,]*)(?:,Remote(\sHost)?(\sMAC)?:\s*(?<Remote_Host_MAC>[^,]*))?,?(?<Network_Protocol>\"[^\"]*\"|\'[^\']*\'|[^,]*)?,(?<Traffic_Direction>\"[^\"]*\"|\'[^\']*\'|[^,]*),[\"\']?Application:\s*[\"\']?(?<Application_Name>.*)[\"\']?,[\"\']?Action:\s*[\"\']?(?<vendor_action>.*)[\"\']?



[caller_md5_from_description]
REGEX = Caller\sMD5=\s*(\w+)




[field_extraction_for_admin]
# (?:\s*'[^']*'|\s*"[^"]*"|\s*[^,]*),\s*(?<vendor_severity>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?:Site:\s*(?<Site_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?,\s*(?:Server:\s*(?<Server_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?,\s*(?:Domain:\s*(?<Domain_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?,\s*(?:Admin:\s*(?<Admin_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?,\s*(?<Event_Description>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*)
REGEX = (?:[[sep_file_prefix]]),\s*(?<vendor_severity>[[sep_file_field]]),\s*(?:Site:\s*(?<Site_Name>[[sep_file_field]]))?,\s*(?:Server(\sName)?:\s*(?<Server_Name>[[sep_file_field]]))?,\s*(?:Domain(\sName)?:\s*(?<Domain_Name>[[sep_file_field]]))?,\s*(?:Admin:\s*(?<Admin_Name>[[sep_file_field]]))?,\s*(?<Event_Description>[[sep_file_field]])


# field_extraction_for_agt_behavior
# ^(?i)(?:\s*'[^']*'|\s*"[^"]*"|\s*[^,]*),\s*(?<vendor_severity>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Host_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),?\s*(?<IP_Address>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*)?,\s*(?<vendor_action>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Description>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<API>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?:Begin:\s*(?<Begin_Time>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?,\s*(?:End:\s*(?<End_Time>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?,\s*(?<rule>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Caller_Process_ID>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Caller_Process_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Return_Address>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Return_Module>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Parameter>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<user>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?:Domain:\s*(?<Domain_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?,\s*(?:Action\sType:\s*(?<Action_Type>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?(?:,\s*File\ssize\s\(bytes\):\s*(?<File_Size>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*Device\sID:\s*(?<Device_ID>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?$





[field_extraction_for_agt_proactive]
REGEX = (?i)(?:[[sep_file_prefix]]),\s*(?<Risk_Action>[[sep_file_field]]),\s*(?:Computer\sname:\s*(?<Computer_Name>[[sep_file_field]]))?,?\s*(?:Intensive\sProtection\sLevel:\s*(?<Intensive_Protection_Level>[[sep_file_field]]))?,?\s*(?:Certificate\sissuer:\s*(?<Certificate_Issuer>[[sep_file_field]]))?,?\s*(?:Certificate\ssigner:\s*(?<Certificate_Signer>[[sep_file_field]]))?,?\s*(?:Certificate\sthumbprint:\s*(?<Certificate_Thumbprint>[[sep_file_field]]))?,?\s*(?:Signing\stimestamp:\s*(?<Signing_Timestamp>[[sep_file_field]]))?,?\s*(?:Certificate\sserial\snumber:\s*(?<Certificate_Serial_Number>[[sep_file_field]]))?,?\s*(?:IP\sAddress:\s*(?<IP_Address>[[sep_file_field]]))?,\s*(?:Detection\stype:\s*(?<Detection_Type>[[sep_file_field]]))?,\s*(?:First\sseen:\s*(?<First_Seen>[[sep_file_field]]))?,\s*(?:Application\sname:\s*(?<Application_Name>[[sep_file_field]]))?,\s*(?:Application\stype:\s*(?<Application_Type>[[sep_file_field]]))?,\s*(?:Application\sversion:\s*(?<Application_Version>[[sep_file_field]]))?,\s*(?:Hash\stype:\s*(?<Hash_Type>[[sep_file_field]]))?,\s*(?:Application\shash:\s*(?<Application_Hash>[[sep_file_field]]))?,\s*(?:Company\sname:\s*(?<Company_Name>.*))?,\s*(?:File\ssize\s\(bytes\):\s*(?<File_Size>[[sep_file_field]]))?,\s*(?:Sensitivity:\s*(?<Sensitivity>[[sep_file_field]]))?,\s*(?:Detection\sscore:\s*(?<Detection_Score>[[sep_file_field]]))?,\s*(?:COH\sEngine\sVersion:\s*(?<COH_Engine_Version>[[sep_file_field]]))?,\s*(?<Submission_Recommendation>[[sep_file_field]]),\s*(?:Permitted\sapplication\sreason:\s*(?<Permitted_Application_Reason>[[sep_file_field]]))?,\s*(?:Disposition:\s*(?<Disposition>[[sep_file_field]]))?,\s*(?:Download\ssite:\s*(?<Download_Site>[[sep_file_field]]))?,\s*(?:Web\sdomain:\s*(?<Web_Domain>.*))?,\s*(?:Downloaded\sby:\s*(?<Downloaded_By>[[sep_file_field]]))?,\s*(?:Prevalence:\s*(?<Prevalence>[[sep_file_field]]))?,\s*(?:Confidence:\s*(?<Confidence>[[sep_file_field]]))?,\s*(?:URL\sTracking\sStatus:\s*(?<URL_Tracking_Status>[[sep_file_field]]))?,\s*(?:Risk\sLevel:\s*(?<Risk_Level>[[sep_file_field]]))?,?\s*(?:Risk\stype:\s*(?<Risk_Type>[[sep_file_field]]))?,?\s*(?:Detection\sSource:\s*(?<Detection_Source>[[sep_file_field]]))?,\s*(?:Source:\s*(?<Source>[[sep_file_field]]))?,\s*(?:Risk\sname:\s*(?<Risk_Name>[[sep_file_field]]))?,\s*(?:Occurrences:\s*(?<Occurrences>[[sep_file_field]]))?,\s*(?<file_path>[[sep_file_field]]),\s*(?<Description>[[sep_file_field]]),\s*(?:Actual\saction:\s*(?<vendor_action>[[sep_file_field]]))?,\s*(?:Requested\saction:\s*(?<Requested_Action>[[sep_file_field]]))?,\s*(?:Secondary\saction:\s*(?<Secondary_Action>[[sep_file_field]]))?,\s*(?:Event\stime:\s*(?<Event_Time>[[sep_file_field]]))?,\s*(?:Inserted:\s*(?<Event_Insert_Time>[[sep_file_field]]))?,\s*(?:End(\sTime)?:\s*(?<End_Time>[[sep_file_field]]))?,\s*(?:Domain(\sName)?:\s*(?<Domain_Name>[[sep_file_field]]))?,\s*(?:Group(\sName)?:\s*(?<Group_Name>[[sep_file_field]]))?,\s*(?:Server(\sName)?:\s*(?<Server_Name>[[sep_file_field]]))?,\s*(?<user>[[sep_file_field]]),\s*(?:Source\scomputer:\s*(?<Source_Computer_Name>[[sep_file_field]]))?,\s*(?:Source\sIP:\s*(?<Source_Computer_IP>[[sep_file_field]]))?

[field_extraction_for_policy]
REGEX = (?:[[sep_file_prefix]]),\s*(?:Site:\s*(?<Site_Name>[[sep_file_field]]))?,\s*(?:Server(\sName)?:\s(?<Server_Name>[[sep_file_field]]))?,\s*(?:Domain(\sName)?:\s*(?<Domain_Name>[[sep_file_field]]))?,\s*(?:Admin:\s*(?<Admin_Name>[[sep_file_field]]))?,\s*(?<Event_Description>[[sep_file_field]]),\s*(?<Policy_Name>[[sep_file_field]])

props.conf

[symantec:ep:agt_system:file]
# Purpose for below "EVAL": trim ' or " or key from field value.
EVAL-Event_Description = nullif(trim(trim(Event_Description, "\"'"), "Event Description: "), "")

[symantec:ep:scm_system:file]
# Purpose for below "EVAL": trim ' or " or key from field value.
EVAL-Event_Description = nullif(trim(trim(Event_Description, "\"'"), "Event Description: "), "")

[symantec:ep:risk:file]
REPORT-field_extraction_for_agt_risk = field_extraction_key_value_pairs_1, field_extraction_key_value_pairs_2, field_extraction_key_value_pairs_3, field_extraction_key_value_pairs_4, field_extraction_key_value_pairs_5, field_extraction_risk_action, field_extraction_file_path_description, field_extraction_agt_risk_reason_for_white_listing, field_extraction_agt_risk_unknown_field
FIELDALIAS-0_rename_fields_from_agt_risk_report = "Actual action" as vendor_action "Application hash" as Application_Hash "Application name" as Application_Name "Application type" as Application_Type "Application version" as Application_Version "Category set" as Category_Set "Category type" as Category_Type "Certificate issuer" as Certificate_Issuer "Certificate serial number" as Certificate_Serial_Number "Certificate signer" as Certificate_Signer "Certificate thumbprint" as Certificate_Thumbprint "Company name" as Company_Name "Computer name" as Computer_Name "Download site" as Download_Site "Downloaded by" as Downloaded_By "Event time" as Event_Time "File size (bytes)" as File_Size "First Seen" as First_Seen "Hash type" as Hash_Type "IP Address" as IP_Address "Intensive Protection Level" as Intensive_Protection_Level "Last update time" as Last_Update_Time "Requested action" as Requested_Action "Risk name" as Risk_Name "Secondary action" as Secondary_Action "Signing timestamp" as Signing_Timestamp "URL Tracking Status" as URL_Tracking_Status "Web domain" as Web_Domain
FIELDALIAS-SEP_risk_signature = "Risk name" as SEP_risk_signature
FIELDALIAS-signature = "Risk name" as signature
FIELDALIAS-file_hash = "Application hash" as file_hash
FIELDALIAS-file_hash_type = "Hash type" as file_hash_type
EVAL-src = coalesce('Source computer','Source Computer Name')
EVAL-src_ip = coalesce('Source IP','Source Computer IP')
FIELDALIAS-dest = "Computer name" as dest
FIELDALIAS-dest_ip = "IP Address" as dest_ip
EVAL-Domain_Name = coalesce('Domain','Domain Name')
EVAL-dest_nt_domain = coalesce('Domain','Domain Name')
EVAL-End_Time = coalesce('End','End Time')
EVAL-Event_Insert_Time = coalesce('Inserted','Event Insert Time')
EVAL-Group_Name = coalesce('Group','Group Name')
EVAL-Server_Name = coalesce('Server Name','Server')
EVAL-Source_Computer_Name = coalesce('Source computer','Source Computer Name')
EVAL-Source_Computer_IP = coalesce('Source IP','Source Computer IP')
EVAL-user = nullif(split(trim(replace(coalesce('User', 'User Name'), "[^:]+:\s*(.*)", "\1"), "\"'"), ","), "")

# trim the quotation marks and key from value
EVAL-Description = nullif(trim(trim(Description, "\"'"), "Description: "), "")

[symantec:ep:proactive:file]
REPORT-field_extraction_for_agt_proactive = field_extraction_key_value_pairs_1, field_extraction_key_value_pairs_2, field_extraction_key_value_pairs_3, field_extraction_key_value_pairs_4, field_extraction_key_value_pairs_5, field_extraction_risk_action, field_extraction_file_path_description, field_extraction_proactive_submission_recommendation
FIELDALIAS-0_rename_fields_from_proactive_file_report = "Computer name" as Computer_Name "IP Address" as IP_Address "Detection type" as Detection_Type "First Seen" as First_Seen  "Application name" as Application_Name "Application type" as Application_Type "Application version" as Application_Version "Hash type" as Hash_Type "Application hash" as Application_Hash "Company name" as Company_Name "File size (bytes)" as File_Size "Detection score" as Detection_Score "COH Engine Version" as COH_Engine_Version "Permitted application reason" as Permitted_Application_Reason "Download site" as Download_Site "Web domain" as Web_Domain "Downloaded by" as Downloaded_By "URL Tracking Status" as URL_Tracking_Status "Risk Level" as Risk_Level "Risk type" as Risk_Type "Detection Source" as Detection_Source "Risk name" as Risk_Name "Actual action" as vendor_action "Requested action" as Requested_Action "Secondary action" as Secondary_Action "Event time" as Event_Time "Inserted" as Event_Insert_Time "End" as End_Time "Intensive Protection Level" as Intensive_Protection_Level "Certificate issuer" as Certificate_Issuer "Certificate signer" as Certificate_Signer "Certificate thumbprint" as Certificate_Thumbprint "Signing timestamp" as Signing_Timestamp "Certificate serial number" as Certificate_Serial_Number

EVAL-Source_Computer_Name = coalesce('Source computer','Source Computer Name')
EVAL-Source_Computer_IP = coalesce('Source IP','Source Computer IP')
EVAL-Domain_Name = coalesce('Domain','Domain Name')
EVAL-Server_Name = coalesce('Server','Server Name')
EVAL-Group_Name = coalesce('Group','Group Name')
EVAL-user = coalesce('User','User Name')
FIELDALIAS-category = "Detection type" as category
FIELDALIAS-signature = "Application type" as signature
FIELDALIAS-src = "Source computer" as src
FIELDALIAS-src_ip = "Source IP" as src_ip
FIELDALIAS-dest = "Computer name" as dest
FIELDALIAS-dest_nt_domain = Domain as dest_nt_domain
FIELDALIAS-file_hash = "Application hash" as file_hash
FIELDALIAS-file_hash_type = "Hash type" as file_hash_type

##### For CIM mapping #######
EVAL-src = coalesce('Source computer','Source Computer Name')
EVAL-src_ip = coalesce('Source IP','Source Computer IP')
EVAL-dest_nt_domain = coalesce('Domain','Domain Name')

[symantec:ep:security:file]
REPORT-field_extraction_for_agt_security = field_extraction_for_agt_security_1, field_extraction_for_agt_security_2, category_from_description
EVAL-Host_Name = trim(trim(Host_Name,"\'"),"\"")
EVAL-Event_Description = trim(trim(Event_Description,"\'"),"\"")
EVAL-Intrusion_URL = trim(trim(Intrusion_URL,"\'"),"\"")

[symantec:ep:traffic:file]
REPORT-field_extraction_for_traffic = field_extraction_for_agt_traffic_1, field_extraction_for_agt_traffic_2
EVAL-Host_Name = trim(trim(Host_Name,"\'"),"\"")
EVAL-dest = if(Traffic_Direction=="Inbound", if(Host_Name=="" OR isnull(Host_Name), Local_Host_IP, trim(trim(Host_Name,"\'"),"\"")), if(Remote_Host_Name=="" OR isnull(Remote_Host_Name), Remote_Host_IP, Remote_Host_Name))
EVAL-src = if(Traffic_Direction=="Outbound", if(Host_Name=="" OR isnull(Host_Name), Local_Host_IP, trim(trim(Host_Name,"\'"),"\"")), if(Remote_Host_Name=="" OR isnull(Remote_Host_Name), Remote_Host_IP, Remote_Host_Name))

[symantec:ep:packet:file]
EVAL-Host_Name = trim(trim(Host_Name,"\'"),"\"")

[symantec:ep:scan:file]
REPORT-field_extraction_for_agt_scan = field_extraction_key_value_pairs_1, field_extraction_key_value_pairs_2, field_extraction_key_value_pairs_3, field_extraction_key_value_pairs_4, field_extraction_key_value_pairs_5, field_extraction_status, field_extraction_start_message_stop_message
FIELDALIAS-0_rename_fields_from_agt_scan_file_report = "Scan ID" as Scan_ID "Duration (seconds)" as Duration "User1" as Client_User_1 "User2" as Client_User_2 "Infected" as Infected_Files "Total files" as Total_Files "Omitted" as Omitted_Files "IP Address" as IP_Address 
EVAL-Begin_Time = coalesce('Begin','Begin Time')
EVAL-End_Time = coalesce('End','End Time')
EVAL-Computer_Name = coalesce('Computer','Computer Name')
EVAL-Domain_Name = coalesce('Domain','Domain Name')
EVAL-Group_Name = coalesce('Group','Group Name')
EVAL-Server_Name = coalesce('Server','Server Name')

EVAL-dest = coalesce('Computer','Computer Name')
EVAL-dest_nt_domain = coalesce('Domain','Domain Name')

[symantec:ep:scan:file]
EVAL-Event_Description = nullif(trim(trim(Event_Description, "\"'"), "Event Description: "), "")

View solution in original post

rriegert
New Member

I'm using the updated props\transforms files posted by dkolekar, however, I have a few questions.

-In lines 3 and 10 of transforms, are they supposed to be commented out?
-In lines 108 and 113 are those supposed to be commented out or have REGEX = in front of them?

I'm also running SEP 14 RU2 MP1, and I can't seem to get the file_name field parsed correctly, like i could with RU1. Any help with that specific extraction?

Thanks

0 Karma

goelli
Communicator

I think best idea is to file a case at Splunk support to receive the most current beta version of props/transforms. Or to wait for version 3.0.1 of the Add-On.

Best regards

0 Karma

dkolekar_splunk
Splunk Employee
Splunk Employee

This is a known issue reported in ADDON-21970.
The solution is as below:
On Search head:
- Please find below new_props.conf and new_transforms.conf
- Take a backup of the add-on's local directory.
- Put new_props.conf and new_transforms.conf in the App's local directory.
- Merge the new_props.conf & new_transform.conf configuration with existing ones. (For safer side, keep the backup of existing ones.)
- Rename it as props.conf & transforms.conf
- Restart Splunk.
- Verify the extraction.

transform.conf

[field_extraction_for_agt_system]
REGEX = (?i)(?:[[sep_file_prefix]]),\s*(?<vendor_severity>[[sep_file_field]]),\s*(?<Host_Name>[[sep_file_field]]),\s*(?:Category:\s*(?<Category>[[sep_file_field]]))?,\s*(?<Event_Source>[[sep_file_field]]),\s*(?<Event_Description>\"[^"]*\"|[^,]*)(,\s*(?:Group(\sName)?:\s*(?<Group_Name>[[sep_file_field]])))?
# (?i)(?:\s*'[^']*'|\s*"[^"]*"|\s*[^,]*),\s*(?<vendor_severity>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Host_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?:Category:\s*(?<Category>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?,\s*(?<Event_Source>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Event_Description>.*)

[field_extraction_for_scm_system]
REGEX = (?i)(?:[[sep_file_prefix]]),\s*(?<vendor_severity>[[sep_file_field]]),\s*(?:Site:\s*(?<Site_Name>[[sep_file_field]]))?,\s*(?:Server(\sName)?:\s*(?<Server_Name>[[sep_file_field]]))?,\s*(?<Event_Description>[[sep_file_field]])

[field_extraction_for_agent_act]
REGEX = (?i)(?:[[sep_file_prefix]]),\s*(?:Site:\s*(?P<Site_Name>[[sep_file_field]]))?,\s*(?:Server(\sName)?:\s*(?P<Server_Name>[[sep_file_field]]))?,\s*(?:Domain(\sName)?:\s*(?P<Domain>[[sep_file_field]]))?,\s*(?P<Event_Description>[[sep_file_field]]),\s*(?P<Host_Name>[[sep_file_field]]),\s*(?P<user>[[sep_file_field]]),\s*(?P<Domain_Name>[[sep_file_field]])
# (?i)(?:\s*'[^']*'|\s*"[^"]*"|\s*[^,]*),\s*(?:Site:\s*(?P<Site_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?,\s*(?:Server:\s*(?P<Server_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?,\s*(?:Domain:\s*(?P<Domain>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?,\s*(?P<Event_Description>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?P<Host_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?P<user>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?P<Domain_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*)

[field_extraction_for_agt_behavior]
REGEX = ^(?i)(?:[[sep_file_prefix]]),\s*(?<vendor_severity>[[sep_file_field]]),\s*(?<Host_Name>[[sep_file_field]]),?\s*(?<IP_Address>[[sep_file_field]])?,\s*(?<vendor_action>[[sep_file_field]]),\s*(?<Description>[[sep_file_field]]),\s*(?<API>[[sep_file_field]]),\s*(?:Begin( Time)?:\s*(?<Begin_Time>[[sep_file_field]]))?,\s*(?:End( Time)?:\s*(?<End_Time>[[sep_file_field]]))?,\s*(?<rule>[[sep_file_field]]),\s*(?<Caller_Process_ID>[[sep_file_field]]),\s*(?<Caller_Process_Name>[[sep_file_field]]),\s*(?<Return_Address>[[sep_file_field]]),\s*(?<Return_Module>[[sep_file_field]]),\s*(?<Parameter>[[sep_file_field]]),\s*(?:User( Name)?:\s*(?<user>[[sep_file_field]])),\s*(?:Domain( Name)?:\s*(?<Domain_Name>[[sep_file_field]]))?,\s*(?:Action\sType:\s*(?<Action_Type>[[sep_file_field]]))?(?:,\s*File\ssize\s\(bytes\):\s*(?<File_Size>[[sep_file_field]]),\s*Device\sID:\s*(?<Device_ID>[[sep_file_field]]))?$

[field_extraction_for_agt_scan]
REGEX = (?i)(?:[[sep_file_prefix]]),\s*(?:Scan\sID:\s*(?<Scan_ID>[[sep_file_field]]))?,\s*(?:Begin(\sTime)?:\s*(?<Begin_Time>[[sep_file_field]]))?,\s*(?:End(\sTime)?:\s*(?<End_Time>[[sep_file_field]]))?,\s*(?<Status>[[sep_file_field]]),\s*(?:Duration\s\(seconds\):\s*(?<Duration>[[sep_file_field]]))?,\s*(?:User1:\s*(?<Client_User_1>[[sep_file_field]]))?,\s*(?:User2:\s*(?<Client_User_2>[[sep_file_field]]))?,\s*(?<Start_Message>[[sep_file_field]]),\s*(?<Stop_Message>[[sep_file_field]]),\s*(?:Command:\s*(?<Command>[[sep_file_field]]))?,\s*(?:Threats:\s*(?<Threats>[[sep_file_field]]))?,\s*(?:Infected:\s*(?<Infected_Files>[[sep_file_field]]))?,\s*(?:Total\sFiles:\s*(?<Total_Files>[[sep_file_field]]))?,\s*(?:Omitted:\s*(?<Omitted_Files>[[sep_file_field]]))?,\s*(?:Computer(\sName)?:\s*(?<Computer_Name>[[sep_file_field]]))?,\s*(?:IP\sAddress:\s*(?<IP_Address>[[sep_file_field]]))?,\s*(?:Domain(\sName)?:\s*(?<Domain_Name>[[sep_file_field]]))?,\s*(?:Group(\sName)?:\s*(?<Group_Name>[[sep_file_field]]))?,\s*(?:Server(\sName)?:\s*(?<Server_Name>[[sep_file_field]]))?

[field_extraction_start_message_stop_message]
REGEX = ,(\"[^\"]*\"|\'[^\']*\'|[^,]*),(\"[^\"]*\"|\'[^\']*\'|[^,]*),Command:
FORMAT = Start_Message::$1 Stop_Message::$2

[field_extraction_status]
REGEX = ,(\"[^\"]*\"|\'[^\']*\'|[^,]*),Duration:
FORMAT = Status::$1

[field_extraction_key_value_pairs_1]
# Regex for fields like:- "First Seen: Reputation, was not used in this detection."
REGEX = ,\"([^:,\"\']*):\s+([^\"]*)\"
FORMAT = $1::$2
CLEAN_KEYS = false

[field_extraction_key_value_pairs_2]
# Regex for fields like:- First Seen: "Reputation, was not used in this detection."
REGEX = ,([^:,\"\']*):\s+\"([^\"]*)\"
FORMAT = $1::$2
CLEAN_KEYS = false

[field_extraction_key_value_pairs_3]
# Regex for fields like:- 'First Seen: Reputation, was not used in this detection.'
REGEX = ,\'([^:,\"\']*):\s+([^\']*)\'
FORMAT = $1::$2
CLEAN_KEYS = false

[field_extraction_key_value_pairs_4]
# Regex for fields like:- First Seen: 'Reputation, was not used in this detection.'
REGEX = ,([^:,\"\']*):\s+\'([^\']*)\'
FORMAT = $1::$2
CLEAN_KEYS = false

[field_extraction_key_value_pairs_5]
# Regex for fields like:- First Seen: Reputation was not used in this detection.
REGEX = ,([^:,\"\']*):\s+([^,]*)
FORMAT = $1::$2
CLEAN_KEYS = false

[field_extraction_risk_action]
REGEX = ^[^,]*,(\"[^\"]*\"|\'[^\']*\'|[^,]*),
FORMAT = Risk_Action::$1

[field_extraction_file_path_description]
REGEX = ,([^,]*),(\"[^\"]*\"|\'[^\']*\'|[^,]*),Actual\saction:
FORMAT = file_path::$1 Description::$2

[field_extraction_agt_risk_reason_for_white_listing]
REGEX = ,(\"[^\"]*\"|\'[^\']*\'|[^,]*),Application\shash:
FORMAT = Reason_For_White_Listing::$1

[field_extraction_agt_risk_unknown_field]
REGEX = ,URL\sTracking\sStatus:\s+[^,]*,(.*),First Seen:
FORMAT = Unknown_Field::$1

[field_extraction_proactive_submission_recommendation]
REGEX = ,(\"[^\"]*\"|\'[^\']*\'|[^,]*),Permitted\sapplication\sreason:
FORMAT = Submission_Recommendation::$1


[field_extraction_for_agt_security_1]
# Regex for event format from SEP version before 14.2RU1
REGEX = (?i)^\s*[^,]*,(?<vendor_severity>\"[^\"]*\"|\'[^\']*\'|[^,]*),(?<Host_Name>\"[^\"]*\"|\'[^\']*\'|[^,]*),?(?<SHA_256>\"[^\"]*\"|\'[^\']*\'|[^,]*)?,?(?<MD_5>\"[^\"]*\"|\'[^\']*\'|[^,]*)?,(?<Event_Description>\"[^\"]*\"|\'[^\']*\'|[^,]*),Local:\s*(?<Local_Host_IP>[^,]*),Local:\s*(?<Local_Host_MAC>[^,]*),Remote:\s*(?<Remote_Host_Name>[^,]*),Remote:\s*(?<Remote_Host_IP>[^,]*),Remote:\s*(?<Remote_Host_MAC>[^,]*),(?<Traffic_Direction>\"[^\"]*\"|\'[^\']*\'|[^,]*),(?<Network_Protocol>\"[^\"]*\"|\'[^\']*\'|[^,]*),(?<Hack_Type>\"[^\"]*\"|\'[^\']*\'|[^,]*),Begin:\s*(?<Begin_Time>[^,]*),?(?:End:\s*(?<End_Time>[^,]*))?,Occurrences:\s*(?<Occurrences>[^,]*),[\"\']?Application:\s*[\"\']?(?<Application_Name>.*)[\"\']?,[\"\']?Location:\s*[\"\']?(?<Location>.*)[\"\']?,[\"\']?User:\s*[\"\']?(?<user>.*)[\"\']?,[\"\']?Domain:\s*[\"\']?(?<Domain_Name>.*)[\"\']?,Local\sPort\s+(?<Local_Port>[^,]*),Remote\sPort\s+(?<Remote_Port>[^,]*),[\"\']?CIDS\sSignature\sID:\s*[\"\']?(?<CIDS_Signature_ID>.*)[\"\']?,[\"\']?CIDS\sSignature\sstring:\s*[\"\']?(?<CIDS_Signature_String>.*)[\"\']?,[\"\']?CIDS\sSignature\sSubID:\s*[\"\']?(?<CIDS_Signature_SubID>.*)[\"\']?,[\"\']?Intrusion URL:\s*[\"\']?(?<Intrusion_URL>.*)[\"\']?,[\"\']?Intrusion\sPayload\sURL:\s*[\"\']?(?<Intrusion_Payload_URL>.*)[\"\']?

[field_extraction_for_agt_security_2]
# Regex for event format from SEP version 14.2RU1
REGEX = (?i)^\s*[^,]*,(?<vendor_severity>\"[^\"]*\"|\'[^\']*\'|[^,]*),(?<Host_Name>\"[^\"]*\"|\'[^\']*\'|[^,]*),[\"\']?Event\sDescription:\s*[\"\']?(?<Event_Description>.*)[\"\']?,Local(\sHost)?(\sIP)?:\s*(?<Local_Host_IP>[^,]*),Local\sHost\sMAC:\s*(?<Local_Host_MAC>[^,]*),Remote\sHost\sName:\s*(?<Remote_Host_Name>[^,]*),Remote\sHost\sIP:\s*(?<Remote_Host_IP>[^,]*),Remote\sHost\sMAC:\s*(?<Remote_Host_MAC>[^,]*),(?<Traffic_Direction>\"[^\"]*\"|\'[^\']*\'|[^,]*),(?<Network_Protocol>\"[^\"]*\"|\'[^\']*\'|[^,]*),?(?:[\"\']?Intrusion\sID:\s*[\"\']?(?<Hack_Type>.*)[\"\']?)?,Begin(\sTime)?:\s*(?<Begin_Time>[^,]*),?(?:End(\sTime)?:\s*(?<End_Time>[^,]*))?,Occurrences:\s*(?<Occurrences>[^,]*),[\"\']?Application(\sName)?:\s*[\"\']?(?<Application_Name>.*)[\"\']?,[\"\']?Location:\s*[\"\']?(?<Location>.*)[\"\']?,[\"\']?User(\sName)?:\s*[\"\']?(?<user>.*)[\"\']?,[\"\']?Domain(\sName)?:\s*[\"\']?(?<Domain_Name>.*)[\"\']?,Local\sPort:\s*(?<Local_Port>[^,]*),Remote\sPort:\s*(?<Remote_Port>[^,]*),[\"\']?CIDS\sSignature\sID:\s*[\"\']?(?<CIDS_Signature_ID>.*)[\"\']?,[\"\']?CIDS\sSignature\sstring:\s*[\"\']?(?<CIDS_Signature_String>.*)[\"\']?,[\"\']?CIDS\sSignature\sSubID:\s*[\"\']?(?<CIDS_Signature_SubID>.*)[\"\']?,[\"\']?Intrusion URL:\s*[\"\']?(?<Intrusion_URL>.*)[\"\']?,[\"\']?Intrusion\sPayload\sURL:\s*[\"\']?(?<Intrusion_Payload_URL>.*)[\"\']?,?(?:[\"\']?Intrusion\sID:\s*[\"\']?(?<Unknown_Field>.*)[\"\']?)?,SHA-256:\s*(?<SHA_256>[^,]*),MD-5:\s*(?<MD_5>[^,]*)


[field_extraction_for_agt_traffic_1]
# Regex for event format from SEP version before 14.2RU1
REGEX = (?i)^\s*[^,]*,(?<vendor_severity>\"[^\"]*\"|\'[^\']*\'|[^,]*),(?<Host_Name>\"[^\"]*\"|\'[^\']*\'|[^,]*),?(?:SHA-256:\s*(?<SHA_256>[^,]*))?,?(?:MD-5:\s*(?<MD_5>[^,]*))?,Local:\s*(?<Local_Host_IP>[^,]*),Local:\s*(?<Local_Port>[^,]*),Local:\s*(?<Local_Host_MAC>[^,]*),Remote:\s*(?<Remote_Host_IP>[^,]*),Remote:\s*(?<Remote_Host_Name>[^,]*),Remote:\s*(?<Remote_Port>[^,]*),Remote:\s*(?<Remote_Host_MAC>[^,]*),(?<Network_Protocol>\"[^\"]*\"|\'[^\']*\'|[^,]*),(?<Traffic_Direction>\"[^\"]*\"|\'[^\']*\'|[^,]*),Begin:\s*(?<Begin_Time>[^,]*),?(?:End:\s*(?<End_Time>[^,]*))?,Occurrences:\s*(?<Occurrences>[^,]*),[\"\']?Application:\s*[\"\']?(?<Application_Name>.*)[\"\']?,[\"\']?Rule:\s*[\"\']?(?<rule>.*)[\"\']?,[\"\']?Location:\s*[\"\']?(?<Location>.*)[\"\']?,[\"\']?User:\s*[\"\']?(?<user>.*)[\"\']?,[\"\']?Domain:\s*[\"\']?(?<Domain_Name>.*)[\"\']?,[\"\']?Action:\s*[\"\']?(?<vendor_action>.*)[\"\']?

[field_extraction_for_agt_traffic_2]
# Regex for event format from SEP version 14.2RU1
REGEX = (?i)^\s*[^,]*,(?<vendor_severity>\"[^\"]*\"|\'[^\']*\'|[^,]*),(?<Host_Name>\"[^\"]*\"|\'[^\']*\'|[^,]*),Local(\sHost)?(\sIP)?:\s*(?<Local_Host_IP>[^,]*),Local\sPort:\s*(?<Local_Port>[^,]*),Local\sHost\sMAC:\s*(?<Local_Host_MAC>[^,]*),Remote\sHost\sIP:\s*(?<Remote_Host_IP>[^,]*),Remote\sHost\sName:\s*(?<Remote_Host_Name>[^,]*),Remote\sPort:\s*(?<Remote_Port>[^,]*),Remote\sHost\sMAC:\s*(?<Remote_Host_MAC>[^,]*),(?<Network_Protocol>\"[^\"]*\"|\'[^\']*\'|[^,]*),(?<Traffic_Direction>\"[^\"]*\"|\'[^\']*\'|[^,]*),Begin(\sTime)?:\s*(?<Begin_Time>[^,]*),?(?:End(\sTime)?:\s*(?<End_Time>[^,]*))?,Occurrences:\s*(?<Occurrences>[^,]*),[\"\']?Application(\sName)?:\s*[\"\']?(?<Application_Name>.*)[\"\']?,[\"\']?Rule:\s*[\"\']?(?<rule>.*)[\"\']?,[\"\']?Location:\s*[\"\']?(?<Location>.*)[\"\']?,[\"\']?User(\sName)?:\s*[\"\']?(?<user>.*)[\"\']?,[\"\']?Domain(\sName)?:\s*[\"\']?(?<Domain_Name>.*)[\"\']?,[\"\']?Action:\s*[\"\']?(?<vendor_action>.*)[\"\']?,SHA-256:\s*(?<SHA_256>[^,]*),MD-5:\s*(?<MD_5>[^,]*)


[field_extraction_for_packet]
# Regex support events for symantec:ep:packet:file sourcetype from all SEP versions
REGEX = (?i)^\s*[^,]*,?(?<vendor_severity>\"[^\"]*\"|\'[^\']*\'|[^,]*)?,(?<Host_Name>\"[^\"]*\"|\'[^\']*\'|[^,]*),Local(\sHost)?(\sIP)?:\s*(?<Local_Host_IP>[^,]*),Local(\sPort)?:\s*(?<Local_Port>[^,]*),Remote(\sHost)?(\sIP)?:\s*(?<Remote_Host_IP>[^,]*),Remote(\sHost)?(\sName)?:\s*(?<Remote_Host_Name>[^,]*),Remote(\sPort)?:\s*(?<Remote_Port>[^,]*)(?:,Remote(\sHost)?(\sMAC)?:\s*(?<Remote_Host_MAC>[^,]*))?,?(?<Network_Protocol>\"[^\"]*\"|\'[^\']*\'|[^,]*)?,(?<Traffic_Direction>\"[^\"]*\"|\'[^\']*\'|[^,]*),[\"\']?Application:\s*[\"\']?(?<Application_Name>.*)[\"\']?,[\"\']?Action:\s*[\"\']?(?<vendor_action>.*)[\"\']?



[caller_md5_from_description]
REGEX = Caller\sMD5=\s*(\w+)




[field_extraction_for_admin]
# (?:\s*'[^']*'|\s*"[^"]*"|\s*[^,]*),\s*(?<vendor_severity>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?:Site:\s*(?<Site_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?,\s*(?:Server:\s*(?<Server_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?,\s*(?:Domain:\s*(?<Domain_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?,\s*(?:Admin:\s*(?<Admin_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?,\s*(?<Event_Description>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*)
REGEX = (?:[[sep_file_prefix]]),\s*(?<vendor_severity>[[sep_file_field]]),\s*(?:Site:\s*(?<Site_Name>[[sep_file_field]]))?,\s*(?:Server(\sName)?:\s*(?<Server_Name>[[sep_file_field]]))?,\s*(?:Domain(\sName)?:\s*(?<Domain_Name>[[sep_file_field]]))?,\s*(?:Admin:\s*(?<Admin_Name>[[sep_file_field]]))?,\s*(?<Event_Description>[[sep_file_field]])


# field_extraction_for_agt_behavior
# ^(?i)(?:\s*'[^']*'|\s*"[^"]*"|\s*[^,]*),\s*(?<vendor_severity>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Host_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),?\s*(?<IP_Address>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*)?,\s*(?<vendor_action>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Description>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<API>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?:Begin:\s*(?<Begin_Time>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?,\s*(?:End:\s*(?<End_Time>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?,\s*(?<rule>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Caller_Process_ID>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Caller_Process_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Return_Address>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Return_Module>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Parameter>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<user>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?:Domain:\s*(?<Domain_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?,\s*(?:Action\sType:\s*(?<Action_Type>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?(?:,\s*File\ssize\s\(bytes\):\s*(?<File_Size>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*Device\sID:\s*(?<Device_ID>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*))?$





[field_extraction_for_agt_proactive]
REGEX = (?i)(?:[[sep_file_prefix]]),\s*(?<Risk_Action>[[sep_file_field]]),\s*(?:Computer\sname:\s*(?<Computer_Name>[[sep_file_field]]))?,?\s*(?:Intensive\sProtection\sLevel:\s*(?<Intensive_Protection_Level>[[sep_file_field]]))?,?\s*(?:Certificate\sissuer:\s*(?<Certificate_Issuer>[[sep_file_field]]))?,?\s*(?:Certificate\ssigner:\s*(?<Certificate_Signer>[[sep_file_field]]))?,?\s*(?:Certificate\sthumbprint:\s*(?<Certificate_Thumbprint>[[sep_file_field]]))?,?\s*(?:Signing\stimestamp:\s*(?<Signing_Timestamp>[[sep_file_field]]))?,?\s*(?:Certificate\sserial\snumber:\s*(?<Certificate_Serial_Number>[[sep_file_field]]))?,?\s*(?:IP\sAddress:\s*(?<IP_Address>[[sep_file_field]]))?,\s*(?:Detection\stype:\s*(?<Detection_Type>[[sep_file_field]]))?,\s*(?:First\sseen:\s*(?<First_Seen>[[sep_file_field]]))?,\s*(?:Application\sname:\s*(?<Application_Name>[[sep_file_field]]))?,\s*(?:Application\stype:\s*(?<Application_Type>[[sep_file_field]]))?,\s*(?:Application\sversion:\s*(?<Application_Version>[[sep_file_field]]))?,\s*(?:Hash\stype:\s*(?<Hash_Type>[[sep_file_field]]))?,\s*(?:Application\shash:\s*(?<Application_Hash>[[sep_file_field]]))?,\s*(?:Company\sname:\s*(?<Company_Name>.*))?,\s*(?:File\ssize\s\(bytes\):\s*(?<File_Size>[[sep_file_field]]))?,\s*(?:Sensitivity:\s*(?<Sensitivity>[[sep_file_field]]))?,\s*(?:Detection\sscore:\s*(?<Detection_Score>[[sep_file_field]]))?,\s*(?:COH\sEngine\sVersion:\s*(?<COH_Engine_Version>[[sep_file_field]]))?,\s*(?<Submission_Recommendation>[[sep_file_field]]),\s*(?:Permitted\sapplication\sreason:\s*(?<Permitted_Application_Reason>[[sep_file_field]]))?,\s*(?:Disposition:\s*(?<Disposition>[[sep_file_field]]))?,\s*(?:Download\ssite:\s*(?<Download_Site>[[sep_file_field]]))?,\s*(?:Web\sdomain:\s*(?<Web_Domain>.*))?,\s*(?:Downloaded\sby:\s*(?<Downloaded_By>[[sep_file_field]]))?,\s*(?:Prevalence:\s*(?<Prevalence>[[sep_file_field]]))?,\s*(?:Confidence:\s*(?<Confidence>[[sep_file_field]]))?,\s*(?:URL\sTracking\sStatus:\s*(?<URL_Tracking_Status>[[sep_file_field]]))?,\s*(?:Risk\sLevel:\s*(?<Risk_Level>[[sep_file_field]]))?,?\s*(?:Risk\stype:\s*(?<Risk_Type>[[sep_file_field]]))?,?\s*(?:Detection\sSource:\s*(?<Detection_Source>[[sep_file_field]]))?,\s*(?:Source:\s*(?<Source>[[sep_file_field]]))?,\s*(?:Risk\sname:\s*(?<Risk_Name>[[sep_file_field]]))?,\s*(?:Occurrences:\s*(?<Occurrences>[[sep_file_field]]))?,\s*(?<file_path>[[sep_file_field]]),\s*(?<Description>[[sep_file_field]]),\s*(?:Actual\saction:\s*(?<vendor_action>[[sep_file_field]]))?,\s*(?:Requested\saction:\s*(?<Requested_Action>[[sep_file_field]]))?,\s*(?:Secondary\saction:\s*(?<Secondary_Action>[[sep_file_field]]))?,\s*(?:Event\stime:\s*(?<Event_Time>[[sep_file_field]]))?,\s*(?:Inserted:\s*(?<Event_Insert_Time>[[sep_file_field]]))?,\s*(?:End(\sTime)?:\s*(?<End_Time>[[sep_file_field]]))?,\s*(?:Domain(\sName)?:\s*(?<Domain_Name>[[sep_file_field]]))?,\s*(?:Group(\sName)?:\s*(?<Group_Name>[[sep_file_field]]))?,\s*(?:Server(\sName)?:\s*(?<Server_Name>[[sep_file_field]]))?,\s*(?<user>[[sep_file_field]]),\s*(?:Source\scomputer:\s*(?<Source_Computer_Name>[[sep_file_field]]))?,\s*(?:Source\sIP:\s*(?<Source_Computer_IP>[[sep_file_field]]))?

[field_extraction_for_policy]
REGEX = (?:[[sep_file_prefix]]),\s*(?:Site:\s*(?<Site_Name>[[sep_file_field]]))?,\s*(?:Server(\sName)?:\s(?<Server_Name>[[sep_file_field]]))?,\s*(?:Domain(\sName)?:\s*(?<Domain_Name>[[sep_file_field]]))?,\s*(?:Admin:\s*(?<Admin_Name>[[sep_file_field]]))?,\s*(?<Event_Description>[[sep_file_field]]),\s*(?<Policy_Name>[[sep_file_field]])

props.conf

[symantec:ep:agt_system:file]
# Purpose for below "EVAL": trim ' or " or key from field value.
EVAL-Event_Description = nullif(trim(trim(Event_Description, "\"'"), "Event Description: "), "")

[symantec:ep:scm_system:file]
# Purpose for below "EVAL": trim ' or " or key from field value.
EVAL-Event_Description = nullif(trim(trim(Event_Description, "\"'"), "Event Description: "), "")

[symantec:ep:risk:file]
REPORT-field_extraction_for_agt_risk = field_extraction_key_value_pairs_1, field_extraction_key_value_pairs_2, field_extraction_key_value_pairs_3, field_extraction_key_value_pairs_4, field_extraction_key_value_pairs_5, field_extraction_risk_action, field_extraction_file_path_description, field_extraction_agt_risk_reason_for_white_listing, field_extraction_agt_risk_unknown_field
FIELDALIAS-0_rename_fields_from_agt_risk_report = "Actual action" as vendor_action "Application hash" as Application_Hash "Application name" as Application_Name "Application type" as Application_Type "Application version" as Application_Version "Category set" as Category_Set "Category type" as Category_Type "Certificate issuer" as Certificate_Issuer "Certificate serial number" as Certificate_Serial_Number "Certificate signer" as Certificate_Signer "Certificate thumbprint" as Certificate_Thumbprint "Company name" as Company_Name "Computer name" as Computer_Name "Download site" as Download_Site "Downloaded by" as Downloaded_By "Event time" as Event_Time "File size (bytes)" as File_Size "First Seen" as First_Seen "Hash type" as Hash_Type "IP Address" as IP_Address "Intensive Protection Level" as Intensive_Protection_Level "Last update time" as Last_Update_Time "Requested action" as Requested_Action "Risk name" as Risk_Name "Secondary action" as Secondary_Action "Signing timestamp" as Signing_Timestamp "URL Tracking Status" as URL_Tracking_Status "Web domain" as Web_Domain
FIELDALIAS-SEP_risk_signature = "Risk name" as SEP_risk_signature
FIELDALIAS-signature = "Risk name" as signature
FIELDALIAS-file_hash = "Application hash" as file_hash
FIELDALIAS-file_hash_type = "Hash type" as file_hash_type
EVAL-src = coalesce('Source computer','Source Computer Name')
EVAL-src_ip = coalesce('Source IP','Source Computer IP')
FIELDALIAS-dest = "Computer name" as dest
FIELDALIAS-dest_ip = "IP Address" as dest_ip
EVAL-Domain_Name = coalesce('Domain','Domain Name')
EVAL-dest_nt_domain = coalesce('Domain','Domain Name')
EVAL-End_Time = coalesce('End','End Time')
EVAL-Event_Insert_Time = coalesce('Inserted','Event Insert Time')
EVAL-Group_Name = coalesce('Group','Group Name')
EVAL-Server_Name = coalesce('Server Name','Server')
EVAL-Source_Computer_Name = coalesce('Source computer','Source Computer Name')
EVAL-Source_Computer_IP = coalesce('Source IP','Source Computer IP')
EVAL-user = nullif(split(trim(replace(coalesce('User', 'User Name'), "[^:]+:\s*(.*)", "\1"), "\"'"), ","), "")

# trim the quotation marks and key from value
EVAL-Description = nullif(trim(trim(Description, "\"'"), "Description: "), "")

[symantec:ep:proactive:file]
REPORT-field_extraction_for_agt_proactive = field_extraction_key_value_pairs_1, field_extraction_key_value_pairs_2, field_extraction_key_value_pairs_3, field_extraction_key_value_pairs_4, field_extraction_key_value_pairs_5, field_extraction_risk_action, field_extraction_file_path_description, field_extraction_proactive_submission_recommendation
FIELDALIAS-0_rename_fields_from_proactive_file_report = "Computer name" as Computer_Name "IP Address" as IP_Address "Detection type" as Detection_Type "First Seen" as First_Seen  "Application name" as Application_Name "Application type" as Application_Type "Application version" as Application_Version "Hash type" as Hash_Type "Application hash" as Application_Hash "Company name" as Company_Name "File size (bytes)" as File_Size "Detection score" as Detection_Score "COH Engine Version" as COH_Engine_Version "Permitted application reason" as Permitted_Application_Reason "Download site" as Download_Site "Web domain" as Web_Domain "Downloaded by" as Downloaded_By "URL Tracking Status" as URL_Tracking_Status "Risk Level" as Risk_Level "Risk type" as Risk_Type "Detection Source" as Detection_Source "Risk name" as Risk_Name "Actual action" as vendor_action "Requested action" as Requested_Action "Secondary action" as Secondary_Action "Event time" as Event_Time "Inserted" as Event_Insert_Time "End" as End_Time "Intensive Protection Level" as Intensive_Protection_Level "Certificate issuer" as Certificate_Issuer "Certificate signer" as Certificate_Signer "Certificate thumbprint" as Certificate_Thumbprint "Signing timestamp" as Signing_Timestamp "Certificate serial number" as Certificate_Serial_Number

EVAL-Source_Computer_Name = coalesce('Source computer','Source Computer Name')
EVAL-Source_Computer_IP = coalesce('Source IP','Source Computer IP')
EVAL-Domain_Name = coalesce('Domain','Domain Name')
EVAL-Server_Name = coalesce('Server','Server Name')
EVAL-Group_Name = coalesce('Group','Group Name')
EVAL-user = coalesce('User','User Name')
FIELDALIAS-category = "Detection type" as category
FIELDALIAS-signature = "Application type" as signature
FIELDALIAS-src = "Source computer" as src
FIELDALIAS-src_ip = "Source IP" as src_ip
FIELDALIAS-dest = "Computer name" as dest
FIELDALIAS-dest_nt_domain = Domain as dest_nt_domain
FIELDALIAS-file_hash = "Application hash" as file_hash
FIELDALIAS-file_hash_type = "Hash type" as file_hash_type

##### For CIM mapping #######
EVAL-src = coalesce('Source computer','Source Computer Name')
EVAL-src_ip = coalesce('Source IP','Source Computer IP')
EVAL-dest_nt_domain = coalesce('Domain','Domain Name')

[symantec:ep:security:file]
REPORT-field_extraction_for_agt_security = field_extraction_for_agt_security_1, field_extraction_for_agt_security_2, category_from_description
EVAL-Host_Name = trim(trim(Host_Name,"\'"),"\"")
EVAL-Event_Description = trim(trim(Event_Description,"\'"),"\"")
EVAL-Intrusion_URL = trim(trim(Intrusion_URL,"\'"),"\"")

[symantec:ep:traffic:file]
REPORT-field_extraction_for_traffic = field_extraction_for_agt_traffic_1, field_extraction_for_agt_traffic_2
EVAL-Host_Name = trim(trim(Host_Name,"\'"),"\"")
EVAL-dest = if(Traffic_Direction=="Inbound", if(Host_Name=="" OR isnull(Host_Name), Local_Host_IP, trim(trim(Host_Name,"\'"),"\"")), if(Remote_Host_Name=="" OR isnull(Remote_Host_Name), Remote_Host_IP, Remote_Host_Name))
EVAL-src = if(Traffic_Direction=="Outbound", if(Host_Name=="" OR isnull(Host_Name), Local_Host_IP, trim(trim(Host_Name,"\'"),"\"")), if(Remote_Host_Name=="" OR isnull(Remote_Host_Name), Remote_Host_IP, Remote_Host_Name))

[symantec:ep:packet:file]
EVAL-Host_Name = trim(trim(Host_Name,"\'"),"\"")

[symantec:ep:scan:file]
REPORT-field_extraction_for_agt_scan = field_extraction_key_value_pairs_1, field_extraction_key_value_pairs_2, field_extraction_key_value_pairs_3, field_extraction_key_value_pairs_4, field_extraction_key_value_pairs_5, field_extraction_status, field_extraction_start_message_stop_message
FIELDALIAS-0_rename_fields_from_agt_scan_file_report = "Scan ID" as Scan_ID "Duration (seconds)" as Duration "User1" as Client_User_1 "User2" as Client_User_2 "Infected" as Infected_Files "Total files" as Total_Files "Omitted" as Omitted_Files "IP Address" as IP_Address 
EVAL-Begin_Time = coalesce('Begin','Begin Time')
EVAL-End_Time = coalesce('End','End Time')
EVAL-Computer_Name = coalesce('Computer','Computer Name')
EVAL-Domain_Name = coalesce('Domain','Domain Name')
EVAL-Group_Name = coalesce('Group','Group Name')
EVAL-Server_Name = coalesce('Server','Server Name')

EVAL-dest = coalesce('Computer','Computer Name')
EVAL-dest_nt_domain = coalesce('Domain','Domain Name')

[symantec:ep:scan:file]
EVAL-Event_Description = nullif(trim(trim(Event_Description, "\"'"), "Event Description: "), "")
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...