Splunk Search

Help creating regex extraction

neerajs_81
Builder

Gentlemen,
We are ingesting Windows SYSmon logs via TA-microsoft-sysmon , and the raw events are showing in XML format.   There are couple of fields that did not get extracted and even with IFX, the accuracy of extracting these 2 fields isn't working 100%.  
Below is one of the XML tags / elements from my raw event.  Can someone pls assist me with regex for extracting  techqniue_id and technique_name ??   As you can see, these 2 are embedded within the "RuleName" tag.

 

 

 

<Data Name='RuleName'>technique_id=T1055.001,technique_name=Dynamic-link Library</Data>

 

 

 

I have tried on regex101.com but can't get my capture group to extract these 2 values.  At the end of the day, i want 2 fields  techqniue_id ( with a value=T1055.001)   and technique_name ( value = Dynamic-link Library) to show up under "Interesting fields" .

Thank you in advance

Labels (1)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Does this help?

Data Name='RuleName'>technique_id=(?<technique_id>[^,]+),technique_name=(?<technique_name>[^<]+)<

https://regex101.com/r/v0bIol/1 

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Does this help?

Data Name='RuleName'>technique_id=(?<technique_id>[^,]+),technique_name=(?<technique_name>[^<]+)<

https://regex101.com/r/v0bIol/1 

neerajs_81
Builder

Thank you so much. That did the job for 90% of the events.  However i just noticed there are some raw events as below wherein the "RuleName" is empty  

 

 

<Data Name='RuleName'>-</Data>
<Data Name='EventType'>SetValue</Data>
<Data Name='UtcTime'>2022-03-24 06:12:51.184</Data>

 

 

 In such cases,  the regex yours as well as the one generated by IFX ends up extracting technique_name ='UTCTime>2022-03-24 06:12:51<.

Any suggestions how to make it NOT extract or  if the "RuleName" attribute is empty ?  Basically in such cases, both technique_id and technique_name can be empty as well.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

If the element is empty, nothing is extracted

https://regex101.com/r/YBEmIM/1 

0 Karma

neerajs_81
Builder

I am marking your post as the solution.  However, i am sending you a private message with details that shows Splunk still extracting a different field i.e. UTC time despite the "RuleName" being empty.  This doesn't make sense because regex101.com says otherwise.

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...