Splunk Enterprise Security

Field Extraction - Nothing is happening

To cut a long story short, i'm looking to extract a CVE number for my Vulnerabilities Data Model for ES.
An example of the field I want to extract from is:
plugin_name: Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2020-0674)
I want to create a field called 'cve' which extracts CVE-2020-0674.
If I rex this is a search, it is fine

| rex field=_raw "\((?<cve>CVE[\w-]+)"

If I add this as an extracted field by editing props.conf (as shown below) then nothing gets extracted. Does anyone know why?

[source:type]
EXTRACT-cve = (?<cve>CVE[\w-]+)
0 Karma

Ultra Champion

Dont forget the double :: when defining props stanzas that apply to a 'source':

  [source::/some/source]
     EXTRACT-cve = (?<cve>CVE[\w-]+)

{note: edited for clairty}

0 Karma

Ultra Champion

Can you give us the entire stanza from props.conf?

0 Karma

[nessus:scan]
EXTRACT-cve = \((?<cve>CVE[\w-]+)

I've created a props.conf in a 'local' folder in the TA so thats all thats in that file.

0 Karma

Ultra Champion

Also - just picking up on this sentance:

I've created a props.conf in a 'local' folder in the TA so thats all thats in that file.

Is that TA (App) shared globally on the searchhead?
In order for your extraction to be available in another app, you need to make sure that it is shared globally.

If you had a TA, which is not 'visible' in your apps list on the SH, unless global, you will never be in that apps context so your extractions wont be visible from say 'search and reporting' or any other app.

0 Karma

Ultra Champion

Ah ok, confusion with "source" vs "sourcetype"

If your props stanza is a source you must use
[source::/var/log/mylog]

if it's a sourcetype you just use the sourcetype name which in your case is nessus:scan, so
[nessus:scan]
is correct.

Out of interest, how are you collecting logs from nessus - are you using an app to collect data from Security Centre via the API? (if so which one)

0 Karma

Ultra Champion

Sorry - hit submit too early...

The reason I ask, is that i suspect the logs are being imported as json, which means that raw event may look different to what you see rendered as events in the UI

Could you try (?<cve>CVE[^)]+) as the regex instead?

0 Karma

Contributor

I see you have not added the exact string in the props. Can you just copy the regex string within the "" and then try?

I mean try adding: \((?<cve>CVE[\w-]+)

0 Karma

Hi, thanks for such a quick response. No change unfortunately. I've added the :: mentioned here as well (which I've not seen used before).
Very strange, I've never had issues with this before. Maybe something it doesn't like in the regex?

0 Karma