Splunk Search

Help creating regex extraction

neerajs_81
Builder

Gentlemen,
We are ingesting Windows SYSmon logs via TA-microsoft-sysmon , and the raw events are showing in XML format.   There are couple of fields that did not get extracted and even with IFX, the accuracy of extracting these 2 fields isn't working 100%.  
Below is one of the XML tags / elements from my raw event.  Can someone pls assist me with regex for extracting  techqniue_id and technique_name ??   As you can see, these 2 are embedded within the "RuleName" tag.

 

 

 

<Data Name='RuleName'>technique_id=T1055.001,technique_name=Dynamic-link Library</Data>

 

 

 

I have tried on regex101.com but can't get my capture group to extract these 2 values.  At the end of the day, i want 2 fields  techqniue_id ( with a value=T1055.001)   and technique_name ( value = Dynamic-link Library) to show up under "Interesting fields" .

Thank you in advance

Labels (1)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Does this help?

Data Name='RuleName'>technique_id=(?<technique_id>[^,]+),technique_name=(?<technique_name>[^<]+)<

https://regex101.com/r/v0bIol/1 

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Does this help?

Data Name='RuleName'>technique_id=(?<technique_id>[^,]+),technique_name=(?<technique_name>[^<]+)<

https://regex101.com/r/v0bIol/1 

neerajs_81
Builder

Thank you so much. That did the job for 90% of the events.  However i just noticed there are some raw events as below wherein the "RuleName" is empty  

 

 

<Data Name='RuleName'>-</Data>
<Data Name='EventType'>SetValue</Data>
<Data Name='UtcTime'>2022-03-24 06:12:51.184</Data>

 

 

 In such cases,  the regex yours as well as the one generated by IFX ends up extracting technique_name ='UTCTime>2022-03-24 06:12:51<.

Any suggestions how to make it NOT extract or  if the "RuleName" attribute is empty ?  Basically in such cases, both technique_id and technique_name can be empty as well.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

If the element is empty, nothing is extracted

https://regex101.com/r/YBEmIM/1 

0 Karma

neerajs_81
Builder

I am marking your post as the solution.  However, i am sending you a private message with details that shows Splunk still extracting a different field i.e. UTC time despite the "RuleName" being empty.  This doesn't make sense because regex101.com says otherwise.

0 Karma
Get Updates on the Splunk Community!

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...