Splunk Search

Dynamic field extraction with multiple values; Cisco ISE Posture checks

Builder

From our Cisco ISE we get Posture report events, each event can have multiple PostureReports.

PostureReport=Encase Service Policy\;Passed\;(Encase Service Status:Audit:Failed:Passed_Conditions[]:Failed_Conditions[Encase_Service_Check]:Skipped_Conditions[]),  PostureReport=Disk Encryption -- ActiveX Error\;Passed\;(Disk Encryption Status-ActiveX Error:Audit:Passed:Passed_Conditions[]:Failed_Conditions[Disk_Encryption_ActiveX_Error_x64:Disk_Encryption_ActiveX_Error:Disk_Encryption_ActiveX_Error_x86]:Skipped_Conditions[]),

I've extracted the Status of each posture policy with a transforms.conf entry

[extract_posture_dynamic_ise] 
FORMAT = $1::$2 
MV_ADD = 1 
REGEX = \sPostureReport=([^\\;]+)\\;(\w+)\\;

that part works perfect. However, I now need to extract the status of the actual checks:

;(Encase Service Status:Audit:Failed:Passed_Conditions[]:Failed_Conditions[Encase_Service_Check]:Skipped_Conditions[]),  

Here's what I tried doing in transforms.conf before I noticed the caveat that this won't work at search time:

[extract_posture_checks_ise]
MV_ADD=1
REGEX=\sPostureReport=([^\\;]+)\\;\w+\\;\(([^:]):([^:]):([^:]):Passed_Conditions\[(.*?)\]:Failed_Conditions\[(.*?)\]:Skipped_Conditions\[(.*)\]),
FORMAT=$2_Type::$3 $2_Status::$4  $2_Passed_Conditions::$5  $2_Failed_Conditions::$6  $2_Skipped_Conditions::$7

Can this be done through a different method?

0 Karma

SplunkTrust
SplunkTrust

The following REX command should work to extract the data from the fields that you want (it could be simplified to just start from the "Passed_Conditions" portion if that makes sense for your data):

<your search> | rex field=_raw "PostureReport=([^;]+)\\;\w+\\;\(([^:]+):([^:]+):([^:]+):Passed_Conditions\[(?P<passedcond>[^\]]*)\]:Failed_Conditions\[({P<failedcond>[^\]]*)\]:Skipped_Conditions\[(?P<skippedcond>[^\]]*)\]\),"

It could also be modified to do a field extraction for the sourcetype.

0 Karma

Builder

The issue is that each event can have a dozen PostureReport lines, which is why I need the fileds to be dynamically named based on the name of the check (capture group 2 in your example).

0 Karma

Builder

The first box of code in my question, is an excerpt from a single event. It shows the PostureReport for two of the checks, there are about a dozen per event. The checks can be be added and removed based on policy, so the solution need to be dynamic to handle those changes.

0 Karma

SplunkTrust
SplunkTrust

Can you provide an example?

BTW - I have a typo in the rex - ({P should be (?P for the failedcond field.

0 Karma

Builder

Correct, I'd rather not add an index time field extraction.

0 Karma

SplunkTrust
SplunkTrust

When you say "this won't work at search time," do you mean that you don't want to do it at indexing time, but you want to do either a field extraction, or use a rex command in the search?

0 Karma