Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help creating regex extraction

neerajs_81
Builder
‎03-23-2022 09:02 PM

Gentlemen,
We are ingesting Windows SYSmon logs via TA-microsoft-sysmon , and the raw events are showing in XML format.   There are couple of fields that did not get extracted and even with IFX, the accuracy of extracting these 2 fields isn't working 100%.  
Below is one of the XML tags / elements from my raw event.  Can someone pls assist me with regex for extracting  techqniue_id and technique_name ??   As you can see, these 2 are embedded within the "RuleName" tag.

 

 

 

<Data Name='RuleName'>technique_id=T1055.001,technique_name=Dynamic-link Library</Data>

 

 

 

I have tried on regex101.com but can't get my capture group to extract these 2 values.  At the end of the day, i want 2 fields  techqniue_id ( with a value=T1055.001)   and technique_name ( value = Dynamic-link Library) to show up under "Interesting fields" .

Thank you in advance

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-23-2022 11:05 PM

Does this help?

Data Name='RuleName'>technique_id=(?<technique_id>[^,]+),technique_name=(?<technique_name>[^<]+)<

https://regex101.com/r/v0bIol/1 

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-23-2022 11:05 PM

Does this help?

Data Name='RuleName'>technique_id=(?<technique_id>[^,]+),technique_name=(?<technique_name>[^<]+)<

https://regex101.com/r/v0bIol/1 

Reply
Solved! Jump to solution

neerajs_81
Builder
‎03-23-2022 11:42 PM

Thank you so much. That did the job for 90% of the events.  However i just noticed there are some raw events as below wherein the "RuleName" is empty  

 

 

<Data Name='RuleName'>-</Data>
<Data Name='EventType'>SetValue</Data>
<Data Name='UtcTime'>2022-03-24 06:12:51.184</Data>

 

 

 In such cases,  the regex yours as well as the one generated by IFX ends up extracting technique_name ='UTCTime>2022-03-24 06:12:51<.

Any suggestions how to make it NOT extract or  if the "RuleName" attribute is empty ?  Basically in such cases, both technique_id and technique_name can be empty as well.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-23-2022 11:47 PM

If the element is empty, nothing is extracted

https://regex101.com/r/YBEmIM/1 

0 Karma
Reply
Solved! Jump to solution

neerajs_81
Builder
‎03-23-2022 11:51 PM

I am marking your post as the solution.  However, i am sending you a private message with details that shows Splunk still extracting a different field i.e. UTC time despite the "RuleName" being empty.  This doesn't make sense because regex101.com says otherwise.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...