- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: soucetype pan:threat, extracting incorrect fie...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why is sourcetype pan:threat extracting incorrect fields?
Hi all, so, on my es-security search head, this sourcetype is incorrectly parsing the user field. It is capturing all users correctly, but it's also capturing random stuff from the same log types where a username isn't present. I tried messing with the props.conf and transforms.conf but nothing seems to do anything. Does anyone have a good idea where to start? I tried to make a fresh field extraction also for just user field, but it made no difference.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Look at the field extraction config (regex) and see why it's failing for logs with no user value. You probably have to write a regex that puts null/blank if regex not found. We'd need current regex and sample logs (for both where regex works and doesn't) to comment anything else.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
coalesce(mvindex(split(src_user,"\\"),1),mvindex(split(dest_user,"\\"),1),recipient,sender,"unknown") ,
so this is the regex that is listed in the sourcetype as EVAL-user, it looks like that sourcetype is defined in splunk enterprise security. here is a log it works on -
Jun 16 11:08:50 1.1.1.1 1 <14>1 2022-06-16T11:08:53-04:00 1.1.1.1 - - - - 1,2022/06/16 11:08:53,111111111111,THREAT,vulnerability,2305,2022/06/16 11:08:38,1.1.1.1,1.1.1.1,0.0.0.0,0.0.0.0,MPLS_Inbound Allow All,test\user,,ms-wmi,vsys1,EXT-MPLS,INT-LAN,ethernet1/1,ae1,test,2022/06/16 11:08:38,1612859,1,58153,49154,0,0,0x2000,tcp,alert,,Microsoft Windows NTLMSSP Detection(111111),any,informational,client-to
and here is one where it is pulling random
Qualys Cloud Agent URLs,computer-and-internet-info,low-risk",0,,," Qualys Cloud Agent URLs,computer-and-internet-info,low-risk"," Qualys Cloud Agent URLs,computer-and-internet-info,low-risk"," Qualys Cloud Agent URLs,computer-and-internet-info,low-risk"," Qualys Cloud Agent URLs,computer-and-internet-info,low-risk"," Qualys Cloud Agent URLs,computer-and-internet-info,low-risk",0,1100,0,0,0,,abc123123," Qualys Cloud Agent URLs,computer-and-internet-info,low-risk",,,,0,,0,,N/A,info-leak,AppThreat-1111-7437,0x0,0,4294967295," Qualys Cloud Agent URLs,computer-and-internet-info,low-risk"," Qualys Cloud Agent URLs,computer-and-internet-info,low-risk",53182164-f27e-48e8-ae5d-e502b5ff412b,0,,,,,,,,,,,,,,,,,,,,,,,,,,," Qualys Cloud Agent URLs,computer-and-internet-info,low-risk"," Qualys Cloud Agent URLs,computer-and-internet-info,low-risk",0,1969-12-31T19:00:00.000-05:00,," Qualys Cloud Agent URLs,computer-and-internet-info,low-risk",0,infrastructure,networking,network-protocol,2,"has-known-vulnerability,tunnel-other-application,pervasive-use",msrpc,untunneled,no,no
Here it's pulling user as - Qualys Cloud Agent URLs,computer-and-internet-info,low-risk
This was my proposed fix - [\w]+\\(?<user>[\w]+) but it doesnt seem to do anything. TYVM!
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
