Solved: Re: Help With Extractions Involving Microsoft AV H...

dfurtaw · ‎02-21-2020

Inconsistency with file names coming from Microsoft AV hashes is causing alerts to populate null results when firing off after a file has been quarantined.

Currently, we are matching the hashes based on a lookup that is generated by a saved search. We are having problems with our regex expression because the file names within the WinEvent Log message are not consistent. We are trying to extract the file name. Most of the time, our regex is successful in pulling out the file name for the field. However, there are times when the file name is not extracted properly due to the format of the log being different (returning values that append (GZIP) or other characters). The main problem is that we are seeing it showing the entire zip location and not just the actual file itself.

Any suggestions to this would be awesome. The query being used to look at these events and extraction, then outputting to a lookup is:

This report runs every 5 minutes and scans for new files and hashes.

index=wineventlog (sourcetype="WinEventLog:System" OR sourcetype="WinEventLog:Microsoft-Windows-Windows Defender/Operational") EventCode=1120 (SourceName="Microsoft Antimalware" OR SourceName="Microsoft-Windows-Windows Defender") earliest=-5m@m latest=@m
| rex field=Threat_resource_path "(?[^\\]$)"
| stats count BY file_name ComputerName Hashes
| fields - count
| inputlookup append=t .csv
| dedup ComputerName Hashes
| outputlookup .csv

Example of a log that has trouble with extraction:

02/20/2020 02:20:44 AM
LogName=Microsoft-Windows-Windows Defender/Operational
SourceName=Microsoft-Windows-Windows Defender
EventCode=1120
EventType=4
Type=Information
ComputerName=
User=NOT_TRANSLATED
Sid=
SidType=0
TaskCategory=None
OpCode=Info
RecordNumber=33310
Keywords=None
Message=Windows Defender Antivirus has deduced the hashes for a threat resource.
Current Platform Version: 4.18.1911.3
Threat resource path: C:\Users\usergoeshere\AppData\Local\Google\Chrome\User Data\Default\Cache\f_019fa8->(GZip)
Hashes: SHA1:5b803dc7f6c6ahashgoesheree0efadfbf6c5ba834;

The file_name extraction wants to pull the entire f_019fa8->(GZip) as opposed to just f_019fa8. 😞

to4kawa · ‎02-21-2020

| makeresults
| eval Threat_resource_path="C:\Users\usergoeshere\AppData\Local\Google\Chrome\User Data\Default\Cache\f_019fa8->(GZip)"
| rex field=Threat_resource_path "^.*\\\(?<fname>\w+)"

There are various regular expressions.

View solution in original post

to4kawa · ‎02-21-2020

| makeresults
| eval Threat_resource_path="C:\Users\usergoeshere\AppData\Local\Google\Chrome\User Data\Default\Cache\f_019fa8->(GZip)"
| rex field=Threat_resource_path "^.*\\\(?<fname>\w+)"

There are various regular expressions.

richgalloway · ‎02-21-2020

Try | rex field=Threat_resource_path "(?<file_name>[^\\]+)[-$]"

---
If this reply helps you, Karma would be appreciated.

dfurtaw · ‎02-23-2020

Thank you Rich. This extraction worked 🙂

wmyersas · ‎02-21-2020

Knowing that the greater than (>) symbol is illegal in Windows filenames, you could modify you regex thusly:

| rex field=Threat_resource_path "(?<fname>[\w\:\.\\\-\s]+)\>?"

Then you merely need to pull the final hyphen )-), if there is one:

| eval fname=rtrim(fname,"-")

There's probably an even snazzier way to do this with just a regex - but this works

dfurtaw · ‎02-23-2020

Thank you! Along with the regex, the rtrim idea does what is needed!

Help With Extractions Involving Microsoft AV Hashes

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms