Splunk Enterprise Security

Splunk Enterprise Security: Pulling data from message field

Communicator

Hello,

I have been trying unsuccessfully parse/filter the data from the message field:

Message= Spyware/Grayware: HackTool.VBS.InviBat. AComputer: PATELS-E7470Domain: Adgrouping\Corp.root.ipc.com\Na\Myhnj\Workstations\WINDOWS 7\Date/Time: 8/7/2019 12:04:21Result: Further action required

Specifically the bolded part. Essentially what I need to do is remove the "threat event" from Trend Micro logs coming into the SIEM. I was able to do this with the following string but the requirement changes in terms of what we are trying to do with these events once they are parsed/filtered (regex or the line you will see below assuming I even did that correctly).

| eval Message=split(Message,".") | eval Short_Message=mvindex(Message,0,2) | table Short_Message

I suspect the Spyware/Grayware may change but I would really like to get either both the segment containing Spyware/Grayware: "threat name" or just the "threat name" somehow. Once that is accomplished I want to create an alert for ten threat events with the same name within 24 hours and another alert when the same machine gets 10 events within 24 hours.

I know I can do this with something like:

|where match(message,"Spyware") |transaction  | search eventcount>=20 

Keep in mind...I was trying this on the line above and apparently, you cannot use transaction command with eval commands?

Any help would be appreciated!

0 Karma
1 Solution

Motivator

Try this -

| makeresults
| eval message="Spyware/Grayware: HackTool.VBS.InviBat. AComputer: PATELS-E7470Domain: Adgrouping\Corp.root.ipc.com\Na\Myhnj\Workstations\WINDOWS 7\Date/Time: 8/7/2019 12:04:21Result: Further action required"
| rex field=message "(?<threat_type>[^:]*):\s(?<threat_name>[^\s]*)"
| eval threat=threat_type . ": " . threat_name
| table message, threat_type, threat_name, threat

View solution in original post

0 Karma

Motivator

Try this -

| makeresults
| eval message="Spyware/Grayware: HackTool.VBS.InviBat. AComputer: PATELS-E7470Domain: Adgrouping\Corp.root.ipc.com\Na\Myhnj\Workstations\WINDOWS 7\Date/Time: 8/7/2019 12:04:21Result: Further action required"
| rex field=message "(?<threat_type>[^:]*):\s(?<threat_name>[^\s]*)"
| eval threat=threat_type . ": " . threat_name
| table message, threat_type, threat_name, threat

View solution in original post

0 Karma

Communicator

Hey!

I reached out to a buddy of mine after attempting to utilize the regex extractor/delimitor to no avail and he came up with something very similar.

Message=(?[^:]+):\s(?[^\s]+)

I'm going to use that regex helper online and figure out regex at this point. Makes life easier obviously....

Thanks!

0 Karma

Motivator

Nice. Some cool Splunk recommended RegEx tools can be referred here.

https://wiki.splunk.com/Community:RegexTestingTools

0 Karma

Communicator

It did not bold for me....

This is the part in question:

Spyware/Grayware: HackTool.VBS.InviBat.

0 Karma

Motivator

If I am not wrong, you have two questions:
1. Extracting the pattern '*Spyware/Grayware: *' from 'Messages' field.
2. Create below alerts-
a. 10 threat events with the same name within 24 hours
b. Same machine gets 10 events within 24 hours

I hope, creating alert won't be problem when you have correct threat pattern. Can you list down possible different type of 'Messages' you get in your log? This will be helpful to extract the 'threat name'.

You can do that by running below query-
[BASE SEARCH]
| dedup Message
| table Message
| head 20

0 Karma

Communicator

Exactly right but the message field has a bunch of unnecessary information.

I don't need to see all of this:

Message=Spyware/Grayware: HackTool.VBS.InviBat.AComputer: PATELS-E7470Domain: Adgrouping\Corp.root.ipc.com\Na\Myhnj\Workstations\WINDOWS 7\Date/Time: 8/7/2019 12:04:21Result: Further action required

I just want to see this part:

Spyware/Grayware: HackTool.VBS.InviBat.

From there I can orient the data but the parsing part is causing me the issue. I was just attempting to provide an entire picture of the end goal.

0 Karma