Splunk Search

How to get a regex setup to tell me whether a session was decrypted or not based on the proxy Palo Alto Decryption flag?

coloradoark
New Member

Hi all; so we are decrypting traffic via Palo Alto, but we aren't using the PA app for Splunk. What I'm trying to figure out is how to get a regex setup to tell me a session was or was not decrypted based on the proxy flag. Has anyone done that yet?

Tags (3)
0 Karma
1 Solution

acharlieh
Influencer

As @richgalloway said... use the app... Specifically the tech addon for Palo Alto: https://splunkbase.splunk.com/app/2757/

The field to determine if you decrypted a session is part of a bit wise field: https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Determine-if-Session-was-Decrypted-B...

This means, that while you may be able to use a regex to extract the flag field itself, you're not going to be able to use a regex to interpret the flag to determine if the session was decrypted or not. Instead you'll need bit arithmetic.

If we look at the transforms.conf of the tech addon, you'll see that they use delimiter based extractions instead of regular expressions to extract the field as session_flags. They then in the props.conf use some math to convert the single session_flags field into a multi-valued flags field... this is EVAL-flags in props.conf in the TA.

The flag you're asking about in particular:

if(floor(tonumber(session_flags,16) / pow(2, 24))%2==0,null(),"decrypted")

EDIT: And thanks to this answer by @martin_mueller I realize there's a bug in that line in the TA, and we need to add a %2 into it... so updated.

And issue logged with the TA: https://github.com/PaloAltoNetworks/Splunk_TA_paloalto/issues/17

View solution in original post

acharlieh
Influencer

As @richgalloway said... use the app... Specifically the tech addon for Palo Alto: https://splunkbase.splunk.com/app/2757/

The field to determine if you decrypted a session is part of a bit wise field: https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Determine-if-Session-was-Decrypted-B...

This means, that while you may be able to use a regex to extract the flag field itself, you're not going to be able to use a regex to interpret the flag to determine if the session was decrypted or not. Instead you'll need bit arithmetic.

If we look at the transforms.conf of the tech addon, you'll see that they use delimiter based extractions instead of regular expressions to extract the field as session_flags. They then in the props.conf use some math to convert the single session_flags field into a multi-valued flags field... this is EVAL-flags in props.conf in the TA.

The flag you're asking about in particular:

if(floor(tonumber(session_flags,16) / pow(2, 24))%2==0,null(),"decrypted")

EDIT: And thanks to this answer by @martin_mueller I realize there's a bug in that line in the TA, and we need to add a %2 into it... so updated.

And issue logged with the TA: https://github.com/PaloAltoNetworks/Splunk_TA_paloalto/issues/17

richgalloway
SplunkTrust
SplunkTrust

Why not use the app?
If you'll post some sample events and the fields you want extracted from them, we can help craft a regex string or find some other way to get what you need.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...