Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: What end of anchor parameter to use for the Sy...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to figure out what end of the anchor parameter to use for the Symantec event.
Here is a snippet of the Symantec event:
Application hash: 4a3c0caeaf4bef6a170e3d031f7181901464ff8271639bab1641465e6f97e000,Hash type: SHA2,Company name: ,Application name: Mac Cleanup Pro,Application version: ,Application type: -1,File size (bytes): 196640,Category set: Security risk,Category type: UNKNOWN,Location: ,Intensive Protection Level: 0,Certificate issuer: ,Certificate signer: ,Certificate thumbprint: ,Signing timestamp: 0,Certificate serial number:
Here is my regex:
(?:Application\shash:\s*(?<Application_Hash>[^"]+)),?(?:Hash\stype:\s*(?<Hash_type>[^"]+)),?(?:Application\sname:\s*(?<Application_name>[^"]+)),?(?:Application\sversion:\s*(?<Applciation_version>[^"]+)),?(?:File\ssize\s\(bytes\)\s*(?<File_size>[^"]+)),?(?:Category\sset:\s*(?<Category_set>[^"]+)),?(?:Category\stype:\s*(?<Category_type>[^"]+)),?(?:Location:\s*(?<Location>[^"]+)),?(?:Intensive\sProtection\sLevel:\s*(?<Intensive_Protection_Level>[^"]+)),?(?:Certificate\sissuer:\s*(?<Certificate_Issuer>[^"]+)),?(?:Certificate\ssigner:\s*(?<Certificate_Signer>[^"]+)),?(?:Certificate\sthumbprint:\s*(?<Certificate_Thumbprint>[^"]+)),?(?:Signing\stimestamp:\s*(?<Signing_Timestamp>[^"]+)),?(?:Certificate\sserial\snumber:\s*(?<Certificate_Serial_Number>[^"]+))\z
I tried '$' and '\Z', but no luck getting the entire regex to match. If I leave the end of my regex as:
?(?:Certificate\sserial\snumber:\s*(?<Certificate_Serial_Number>[^"]+))?
The Group Signing_Timestamp is 0,Certificate serial number: so I know the regex is working up till the very end
Any help would be appreciated.
Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Jwalzerpitt!
I can't remember why, but I've worked with this same symantec extraction before. I went ahead and found it and made it work for your data.
This should work for the dataset you provided:
(?:Application\shash:\s*(?<Application_Hash>[^%\,]+))?,\s*(?:Hash\stype:\s*(?<Hash_Type>[^%\,]+))?,\s*(?:Company\sname:\s*(?<Company_Name>[^\,]+))?,\s*(?:Application\sname:(?<Application_Name>[^%\,]+))?,(?:Application\sversion:\s*(?P<Application_Version>[^\,]+))?,\s*(?:Application\stype:\s*(?<Application_Type>[^%\,]+))?,\s*(?:File\ssize\s\(bytes\):\s*(?<File_Size>[^%\,]+))?(?:,\s*Category\sset:\s*(?<Category_Set>[^%\,]+),\s*Category\stype:\s*(?<Category_Type>[^%\,]+))?,?\s*(?:Location:\s*(?<Location>[^%\,]+))?\,(?:Intensive\sProtection\sLevel:\s*(?<Intensive_Protection_Level>[^%\,]+))?,?\s*(?:Certificate\sissuer:\s*(?<Certificate_Issuer>[^%\,]+))?,?\s*(?:Certificate\ssigner:\s*(?<Certificate_Signer>[^%\,]+))?,?\s*(?:Certificate\sthumbprint:\s*(?<Certificate_Thumbprint>[^%\,]+))?,?\s*(?:Signing\stimestamp:\s*(?<Signing_Timestamp>[^%\,]+))?,?\s*(?:Certificate\sserial\snumber:\s*(?<Certificate_Serial_Number>.*?(?:[^%\,]+|$|\z)))
Also, you might find some use out of the extract command. The dataset you provided is consistantly in a "FIELD:VALUE," format.
Give the extract command a try to see if it works to accomplish your goal like this:
...BASE SEARCH...
| extract kvdelim=":" pairdelim=","
If you run into any problems let me know and I'm happy to help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Jwalzerpitt!
I can't remember why, but I've worked with this same symantec extraction before. I went ahead and found it and made it work for your data.
This should work for the dataset you provided:
(?:Application\shash:\s*(?<Application_Hash>[^%\,]+))?,\s*(?:Hash\stype:\s*(?<Hash_Type>[^%\,]+))?,\s*(?:Company\sname:\s*(?<Company_Name>[^\,]+))?,\s*(?:Application\sname:(?<Application_Name>[^%\,]+))?,(?:Application\sversion:\s*(?P<Application_Version>[^\,]+))?,\s*(?:Application\stype:\s*(?<Application_Type>[^%\,]+))?,\s*(?:File\ssize\s\(bytes\):\s*(?<File_Size>[^%\,]+))?(?:,\s*Category\sset:\s*(?<Category_Set>[^%\,]+),\s*Category\stype:\s*(?<Category_Type>[^%\,]+))?,?\s*(?:Location:\s*(?<Location>[^%\,]+))?\,(?:Intensive\sProtection\sLevel:\s*(?<Intensive_Protection_Level>[^%\,]+))?,?\s*(?:Certificate\sissuer:\s*(?<Certificate_Issuer>[^%\,]+))?,?\s*(?:Certificate\ssigner:\s*(?<Certificate_Signer>[^%\,]+))?,?\s*(?:Certificate\sthumbprint:\s*(?<Certificate_Thumbprint>[^%\,]+))?,?\s*(?:Signing\stimestamp:\s*(?<Signing_Timestamp>[^%\,]+))?,?\s*(?:Certificate\sserial\snumber:\s*(?<Certificate_Serial_Number>.*?(?:[^%\,]+|$|\z)))
Also, you might find some use out of the extract command. The dataset you provided is consistantly in a "FIELD:VALUE," format.
Give the extract command a try to see if it works to accomplish your goal like this:
...BASE SEARCH...
| extract kvdelim=":" pairdelim=","
If you run into any problems let me know and I'm happy to help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thx a million for the regex help, and even better, the extract command as that worked perfectly!
Thx again
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The regex is not looking for the "Company name" field. Also, It expects each field to end with ", but there are no quotes in the sample data.
If this reply helps you, Karma would be appreciated.
Calling All Security Pros: Ready to Race Through Boston?
Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...
Customer success is front and center at .conf25
