Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What end of anchor parameter to use for the Symantec event?

jwalzerpitt
Influencer
‎07-26-2019 07:37 AM

I am trying to figure out what end of the anchor parameter to use for the Symantec event.

Here is a snippet of the Symantec event:

Application hash: 4a3c0caeaf4bef6a170e3d031f7181901464ff8271639bab1641465e6f97e000,Hash type: SHA2,Company name: ,Application name: Mac Cleanup Pro,Application version: ,Application type: -1,File size (bytes): 196640,Category set: Security risk,Category type: UNKNOWN,Location: ,Intensive Protection Level: 0,Certificate issuer: ,Certificate signer: ,Certificate thumbprint: ,Signing timestamp: 0,Certificate serial number:

Here is my regex:

(?:Application\shash:\s*(?<Application_Hash>[^"]+)),?(?:Hash\stype:\s*(?<Hash_type>[^"]+)),?(?:Application\sname:\s*(?<Application_name>[^"]+)),?(?:Application\sversion:\s*(?<Applciation_version>[^"]+)),?(?:File\ssize\s\(bytes\)\s*(?<File_size>[^"]+)),?(?:Category\sset:\s*(?<Category_set>[^"]+)),?(?:Category\stype:\s*(?<Category_type>[^"]+)),?(?:Location:\s*(?<Location>[^"]+)),?(?:Intensive\sProtection\sLevel:\s*(?<Intensive_Protection_Level>[^"]+)),?(?:Certificate\sissuer:\s*(?<Certificate_Issuer>[^"]+)),?(?:Certificate\ssigner:\s*(?<Certificate_Signer>[^"]+)),?(?:Certificate\sthumbprint:\s*(?<Certificate_Thumbprint>[^"]+)),?(?:Signing\stimestamp:\s*(?<Signing_Timestamp>[^"]+)),?(?:Certificate\sserial\snumber:\s*(?<Certificate_Serial_Number>[^"]+))\z

I tried '$' and '\Z', but no luck getting the entire regex to match. If I leave the end of my regex as:

?(?:Certificate\sserial\snumber:\s*(?<Certificate_Serial_Number>[^"]+))?

The Group Signing_Timestamp is 0,Certificate serial number: so I know the regex is working up till the very end

Any help would be appreciated.

Thank you.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rbechtold
Communicator
‎07-26-2019 01:48 PM

Hey Jwalzerpitt!

I can't remember why, but I've worked with this same symantec extraction before. I went ahead and found it and made it work for your data.

This should work for the dataset you provided:

(?:Application\shash:\s*(?<Application_Hash>[^%\,]+))?,\s*(?:Hash\stype:\s*(?<Hash_Type>[^%\,]+))?,\s*(?:Company\sname:\s*(?<Company_Name>[^\,]+))?,\s*(?:Application\sname:(?<Application_Name>[^%\,]+))?,(?:Application\sversion:\s*(?P<Application_Version>[^\,]+))?,\s*(?:Application\stype:\s*(?<Application_Type>[^%\,]+))?,\s*(?:File\ssize\s\(bytes\):\s*(?<File_Size>[^%\,]+))?(?:,\s*Category\sset:\s*(?<Category_Set>[^%\,]+),\s*Category\stype:\s*(?<Category_Type>[^%\,]+))?,?\s*(?:Location:\s*(?<Location>[^%\,]+))?\,(?:Intensive\sProtection\sLevel:\s*(?<Intensive_Protection_Level>[^%\,]+))?,?\s*(?:Certificate\sissuer:\s*(?<Certificate_Issuer>[^%\,]+))?,?\s*(?:Certificate\ssigner:\s*(?<Certificate_Signer>[^%\,]+))?,?\s*(?:Certificate\sthumbprint:\s*(?<Certificate_Thumbprint>[^%\,]+))?,?\s*(?:Signing\stimestamp:\s*(?<Signing_Timestamp>[^%\,]+))?,?\s*(?:Certificate\sserial\snumber:\s*(?<Certificate_Serial_Number>.*?(?:[^%\,]+|$|\z)))

Also, you might find some use out of the extract command. The dataset you provided is consistantly in a "FIELD:VALUE," format.

Give the extract command a try to see if it works to accomplish your goal like this:

...BASE SEARCH...
| extract kvdelim=":" pairdelim=","

If you run into any problems let me know and I'm happy to help.

View solution in original post

Reply
Solved! Jump to solution
Solution

rbechtold
Communicator
‎07-26-2019 01:48 PM

Hey Jwalzerpitt!

I can't remember why, but I've worked with this same symantec extraction before. I went ahead and found it and made it work for your data.

This should work for the dataset you provided:

(?:Application\shash:\s*(?<Application_Hash>[^%\,]+))?,\s*(?:Hash\stype:\s*(?<Hash_Type>[^%\,]+))?,\s*(?:Company\sname:\s*(?<Company_Name>[^\,]+))?,\s*(?:Application\sname:(?<Application_Name>[^%\,]+))?,(?:Application\sversion:\s*(?P<Application_Version>[^\,]+))?,\s*(?:Application\stype:\s*(?<Application_Type>[^%\,]+))?,\s*(?:File\ssize\s\(bytes\):\s*(?<File_Size>[^%\,]+))?(?:,\s*Category\sset:\s*(?<Category_Set>[^%\,]+),\s*Category\stype:\s*(?<Category_Type>[^%\,]+))?,?\s*(?:Location:\s*(?<Location>[^%\,]+))?\,(?:Intensive\sProtection\sLevel:\s*(?<Intensive_Protection_Level>[^%\,]+))?,?\s*(?:Certificate\sissuer:\s*(?<Certificate_Issuer>[^%\,]+))?,?\s*(?:Certificate\ssigner:\s*(?<Certificate_Signer>[^%\,]+))?,?\s*(?:Certificate\sthumbprint:\s*(?<Certificate_Thumbprint>[^%\,]+))?,?\s*(?:Signing\stimestamp:\s*(?<Signing_Timestamp>[^%\,]+))?,?\s*(?:Certificate\sserial\snumber:\s*(?<Certificate_Serial_Number>.*?(?:[^%\,]+|$|\z)))

Also, you might find some use out of the extract command. The dataset you provided is consistantly in a "FIELD:VALUE," format.

Give the extract command a try to see if it works to accomplish your goal like this:

...BASE SEARCH...
| extract kvdelim=":" pairdelim=","

If you run into any problems let me know and I'm happy to help.

Reply
Solved! Jump to solution

jwalzerpitt
Influencer
‎07-29-2019 11:41 AM

Thx a million for the regex help, and even better, the extract command as that worked perfectly!

Thx again

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-26-2019 10:05 AM

The regex is not looking for the "Company name" field. Also, It expects each field to end with ", but there are no quotes in the sample data.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...
Top