I have the following CVE results form a vulnerability report and would like to extract the CVEs to individual CVEs on a separate field.
ADV170012-CVE-2017-0161-CVE-2017-8675-CVE-2017-8676-CVE-2017-8677-CVE-2017-8678-CVE-2017-8679-CVE-2017-8680-CVE-2017-8681-CVE-2017-8682-CVE-2017-8683-CVE-2017-8684-CVE-2017-8686-CVE-2017-8687-CVE-2017-8688-CVE-2017-8692-CVE-2017-8695-CVE-2017-8699-CVE-2017-8707-CVE-2017-8708-CVE-2017-8709-CVE-2017-8713-CVE-2017-8714-CVE-2017-8719-CVE-2017-8720-CVE-2017-8728-CVE-2017-8737
please assist on how to extract using REX and dump the indivual CVEs like CVE-2017-8708 and so on to a separate field
@leagawa, try the following run anywhere search based on your sample data:
| makeresults
| eval _raw="ADV170012-CVE-2017-0161-CVE-2017-8675-CVE-2017-8676-CVE-2017-8677-CVE-2017-8678-CVE-2017-8679-CVE-2017-8680-CVE-2017-8681-CVE-2017-8682-CVE-2017-8683-CVE-2017-8684-CVE-2017-8686-CVE-2017-8687-CVE-2017-8688-CVE-2017-8692-CVE-2017-8695-CVE-2017-8699-CVE-2017-8707-CVE-2017-8708-CVE-2017-8709-CVE-2017-8713-CVE-2017-8714-CVE-2017-8719-CVE-2017-8720-CVE-2017-8728-CVE-2017-8737"
| rex "(?<CVE>CVE[^C]+)" max_match=0
| mvexpand CVE
| table CVE
| eval CVE=rtrim(CVE,"-")
Thank you all for the quick response. All the above REGEX worked but the one that gave me the exact results that i needed was the second andswer. I was able to replace the eval _raw with other fields where the data resided in other formats and still got the CVE-- extracted.
Like this:
| makeresults
| eval _raw="ADV170012-CVE-2017-0161-CVE-2017-8675-CVE-2017-8676-CVE-2017-8677-CVE-2017-8678-CVE-2017-8679-CVE-2017-8680-CVE-2017-8681-CVE-2017-8682-CVE-2017-8683-CVE-2017-8684-CVE-2017-8686-CVE-2017-8687-CVE-2017-8688-CVE-2017-8692-CVE-2017-8695-CVE-2017-8699-CVE-2017-8707-CVE-2017-8708-CVE-2017-8709-CVE-2017-8713-CVE-2017-8714-CVE-2017-8719-CVE-2017-8720-CVE-2017-8728-CVE-2017-8737"
| eval CVE=split(_raw, "CVE-")
| eval CVE=mvfilter(NOT match(CVE, "^ADV\d+-"))
| rex field=CVE mode=sed "s/-$//"
Hi @leagawa,
You can try this regex -(?<CVE>[^-]*\-[^-]*\-[^-]*)
so based on sample data which you have provided I have created below query, first 2 lines are used to generate dummy data.
| makeresults
| eval _raw="ADV170012-CVE-2017-0161-CVE-2017-8675-CVE-2017-8676-CVE-2017-8677-CVE-2017-8678-CVE-2017-8679-CVE-2017-8680-CVE-2017-8681-CVE-2017-8682-CVE-2017-8683-CVE-2017-8684-CVE-2017-8686-CVE-2017-8687-CVE-2017-8688-CVE-2017-8692-CVE-2017-8695-CVE-2017-8699-CVE-2017-8707-CVE-2017-8708-CVE-2017-8709-CVE-2017-8713-CVE-2017-8714-CVE-2017-8719-CVE-2017-8720-CVE-2017-8728-CVE-2017-8737"
| rex "-(?<CVE>[^-]*\-[^-]*\-[^-]*)" max_match=0
| table CVE
| mvexpand CVE
@leagawa, try the following run anywhere search based on your sample data:
| makeresults
| eval _raw="ADV170012-CVE-2017-0161-CVE-2017-8675-CVE-2017-8676-CVE-2017-8677-CVE-2017-8678-CVE-2017-8679-CVE-2017-8680-CVE-2017-8681-CVE-2017-8682-CVE-2017-8683-CVE-2017-8684-CVE-2017-8686-CVE-2017-8687-CVE-2017-8688-CVE-2017-8692-CVE-2017-8695-CVE-2017-8699-CVE-2017-8707-CVE-2017-8708-CVE-2017-8709-CVE-2017-8713-CVE-2017-8714-CVE-2017-8719-CVE-2017-8720-CVE-2017-8728-CVE-2017-8737"
| rex "(?<CVE>CVE[^C]+)" max_match=0
| mvexpand CVE
| table CVE
| eval CVE=rtrim(CVE,"-")