Splunk Search

What end of anchor parameter to use for the Symantec event?

jwalzerpitt
Motivator

I am trying to figure out what end of the anchor parameter to use for the Symantec event.

Here is a snippet of the Symantec event:

Application hash: 4a3c0caeaf4bef6a170e3d031f7181901464ff8271639bab1641465e6f97e000,Hash type: SHA2,Company name: ,Application name: Mac Cleanup Pro,Application version: ,Application type: -1,File size (bytes): 196640,Category set: Security risk,Category type: UNKNOWN,Location: ,Intensive Protection Level: 0,Certificate issuer: ,Certificate signer: ,Certificate thumbprint: ,Signing timestamp: 0,Certificate serial number:

Here is my regex:

(?:Application\shash:\s*(?<Application_Hash>[^"]+)),?(?:Hash\stype:\s*(?<Hash_type>[^"]+)),?(?:Application\sname:\s*(?<Application_name>[^"]+)),?(?:Application\sversion:\s*(?<Applciation_version>[^"]+)),?(?:File\ssize\s\(bytes\)\s*(?<File_size>[^"]+)),?(?:Category\sset:\s*(?<Category_set>[^"]+)),?(?:Category\stype:\s*(?<Category_type>[^"]+)),?(?:Location:\s*(?<Location>[^"]+)),?(?:Intensive\sProtection\sLevel:\s*(?<Intensive_Protection_Level>[^"]+)),?(?:Certificate\sissuer:\s*(?<Certificate_Issuer>[^"]+)),?(?:Certificate\ssigner:\s*(?<Certificate_Signer>[^"]+)),?(?:Certificate\sthumbprint:\s*(?<Certificate_Thumbprint>[^"]+)),?(?:Signing\stimestamp:\s*(?<Signing_Timestamp>[^"]+)),?(?:Certificate\sserial\snumber:\s*(?<Certificate_Serial_Number>[^"]+))\z

I tried '$' and '\Z', but no luck getting the entire regex to match. If I leave the end of my regex as:

?(?:Certificate\sserial\snumber:\s*(?<Certificate_Serial_Number>[^"]+))?

The Group Signing_Timestamp is 0,Certificate serial number: so I know the regex is working up till the very end

Any help would be appreciated.

Thank you.

0 Karma
1 Solution

rbechtold
Communicator

Hey Jwalzerpitt!

I can't remember why, but I've worked with this same symantec extraction before. I went ahead and found it and made it work for your data.

This should work for the dataset you provided:

(?:Application\shash:\s*(?<Application_Hash>[^%\,]+))?,\s*(?:Hash\stype:\s*(?<Hash_Type>[^%\,]+))?,\s*(?:Company\sname:\s*(?<Company_Name>[^\,]+))?,\s*(?:Application\sname:(?<Application_Name>[^%\,]+))?,(?:Application\sversion:\s*(?P<Application_Version>[^\,]+))?,\s*(?:Application\stype:\s*(?<Application_Type>[^%\,]+))?,\s*(?:File\ssize\s\(bytes\):\s*(?<File_Size>[^%\,]+))?(?:,\s*Category\sset:\s*(?<Category_Set>[^%\,]+),\s*Category\stype:\s*(?<Category_Type>[^%\,]+))?,?\s*(?:Location:\s*(?<Location>[^%\,]+))?\,(?:Intensive\sProtection\sLevel:\s*(?<Intensive_Protection_Level>[^%\,]+))?,?\s*(?:Certificate\sissuer:\s*(?<Certificate_Issuer>[^%\,]+))?,?\s*(?:Certificate\ssigner:\s*(?<Certificate_Signer>[^%\,]+))?,?\s*(?:Certificate\sthumbprint:\s*(?<Certificate_Thumbprint>[^%\,]+))?,?\s*(?:Signing\stimestamp:\s*(?<Signing_Timestamp>[^%\,]+))?,?\s*(?:Certificate\sserial\snumber:\s*(?<Certificate_Serial_Number>.*?(?:[^%\,]+|$|\z)))

Also, you might find some use out of the extract command. The dataset you provided is consistantly in a "FIELD:VALUE," format.

Give the extract command a try to see if it works to accomplish your goal like this:

...BASE SEARCH...
| extract kvdelim=":" pairdelim=","

If you run into any problems let me know and I'm happy to help.

View solution in original post

rbechtold
Communicator

Hey Jwalzerpitt!

I can't remember why, but I've worked with this same symantec extraction before. I went ahead and found it and made it work for your data.

This should work for the dataset you provided:

(?:Application\shash:\s*(?<Application_Hash>[^%\,]+))?,\s*(?:Hash\stype:\s*(?<Hash_Type>[^%\,]+))?,\s*(?:Company\sname:\s*(?<Company_Name>[^\,]+))?,\s*(?:Application\sname:(?<Application_Name>[^%\,]+))?,(?:Application\sversion:\s*(?P<Application_Version>[^\,]+))?,\s*(?:Application\stype:\s*(?<Application_Type>[^%\,]+))?,\s*(?:File\ssize\s\(bytes\):\s*(?<File_Size>[^%\,]+))?(?:,\s*Category\sset:\s*(?<Category_Set>[^%\,]+),\s*Category\stype:\s*(?<Category_Type>[^%\,]+))?,?\s*(?:Location:\s*(?<Location>[^%\,]+))?\,(?:Intensive\sProtection\sLevel:\s*(?<Intensive_Protection_Level>[^%\,]+))?,?\s*(?:Certificate\sissuer:\s*(?<Certificate_Issuer>[^%\,]+))?,?\s*(?:Certificate\ssigner:\s*(?<Certificate_Signer>[^%\,]+))?,?\s*(?:Certificate\sthumbprint:\s*(?<Certificate_Thumbprint>[^%\,]+))?,?\s*(?:Signing\stimestamp:\s*(?<Signing_Timestamp>[^%\,]+))?,?\s*(?:Certificate\sserial\snumber:\s*(?<Certificate_Serial_Number>.*?(?:[^%\,]+|$|\z)))

Also, you might find some use out of the extract command. The dataset you provided is consistantly in a "FIELD:VALUE," format.

Give the extract command a try to see if it works to accomplish your goal like this:

...BASE SEARCH...
| extract kvdelim=":" pairdelim=","

If you run into any problems let me know and I'm happy to help.

View solution in original post

jwalzerpitt
Motivator

Thx a million for the regex help, and even better, the extract command as that worked perfectly!

Thx again

richgalloway
SplunkTrust
SplunkTrust

The regex is not looking for the "Company name" field. Also, It expects each field to end with ", but there are no quotes in the sample data.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!