Splunk Search

Help creating regex extraction

neerajs_81
Builder

Gentlemen,
We are ingesting Windows SYSmon logs via TA-microsoft-sysmon , and the raw events are showing in XML format.   There are couple of fields that did not get extracted and even with IFX, the accuracy of extracting these 2 fields isn't working 100%.  
Below is one of the XML tags / elements from my raw event.  Can someone pls assist me with regex for extracting  techqniue_id and technique_name ??   As you can see, these 2 are embedded within the "RuleName" tag.

 

 

 

<Data Name='RuleName'>technique_id=T1055.001,technique_name=Dynamic-link Library</Data>

 

 

 

I have tried on regex101.com but can't get my capture group to extract these 2 values.  At the end of the day, i want 2 fields  techqniue_id ( with a value=T1055.001)   and technique_name ( value = Dynamic-link Library) to show up under "Interesting fields" .

Thank you in advance

Labels (1)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Does this help?

Data Name='RuleName'>technique_id=(?<technique_id>[^,]+),technique_name=(?<technique_name>[^<]+)<

https://regex101.com/r/v0bIol/1 

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Does this help?

Data Name='RuleName'>technique_id=(?<technique_id>[^,]+),technique_name=(?<technique_name>[^<]+)<

https://regex101.com/r/v0bIol/1 

neerajs_81
Builder

Thank you so much. That did the job for 90% of the events.  However i just noticed there are some raw events as below wherein the "RuleName" is empty  

 

 

<Data Name='RuleName'>-</Data>
<Data Name='EventType'>SetValue</Data>
<Data Name='UtcTime'>2022-03-24 06:12:51.184</Data>

 

 

 In such cases,  the regex yours as well as the one generated by IFX ends up extracting technique_name ='UTCTime>2022-03-24 06:12:51<.

Any suggestions how to make it NOT extract or  if the "RuleName" attribute is empty ?  Basically in such cases, both technique_id and technique_name can be empty as well.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

If the element is empty, nothing is extracted

https://regex101.com/r/YBEmIM/1 

0 Karma

neerajs_81
Builder

I am marking your post as the solution.  However, i am sending you a private message with details that shows Splunk still extracting a different field i.e. UTC time despite the "RuleName" being empty.  This doesn't make sense because regex101.com says otherwise.

0 Karma
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...