how might i incorporate regex into a like eval element in a search like this. This syntax does not work
| eval product=case((signature LIKE "%Cipher%") OR (signature LIKE "%SMBv2 signing%") OR (signature LIKE "%Diffie-Hellman%") OR
(signature LIKE "%Weak Cryptographic%") OR (signature LIKE "%SHA-%") OR (signature LIKE "%SWEET32%") OR (signature LIKE "%TLS/SSL%") OR
(signature LIKE "%Certificate Is Invalid%") OR (signature LIKE "%protocol%"), "Cipher/Protocol/Cert",
signature LIKE "%Java%", "Java",
signature LIKE regex="[M][S][0-9][0-9][-][0-9][0-9][0-9]", "test",
signature LIKE "%Apache%", "Apache",
signature LIKE "%Apple%", "Apple",
signature LIKE "%Cisco%", "Cisco",
| search product=test
| dedup signature
| table signature product
You're on the right track, but the format for like
and case
is wrong.
| eval product=case(like(signature,"%Cipher%"), "Cipher/Protocol/Cert" , like(signature,"%Apache%"), "Apache",1=1,"Unknown")
In full:
|eval product=case(
like(signature,"%Cipher%") , "Cipher/Protocol/Cert",
like(signature,"%SMBv2 signing%"), "Cipher/Protocol/Cert",
like(signature,"%Diffie-Hellman%") , "Cipher/Protocol/Cert",
like(signature,"%Weak Cryptographic%"), "Cipher/Protocol/Cert",
like(signature,"%SHA-%") , "Cipher/Protocol/Cert",
like(signature,"%SWEET32%"), "Cipher/Protocol/Cert",
like(signature,"%TLS/SSL%"), "Cipher/Protocol/Cert",
like(signature,"%Certificate Is Invalid%"), "Cipher/Protocol/Cert",
like(signature,"%protocol%"), "Cipher/Protocol/Cert",
like(signature, "%Java%"), "Java",
like(signature ,"%Apache%"), "Apache",
like(signature , "%Apple%"), "Apple",
like(signature ,"%Cisco%"), "Cisco",
match(signature, "[M][S][0-9][0-9][-][0-9][0-9][0-9]"), "test",
1=1, "Unknown"
)
| search product=test
| dedup signature
| table signature product
Excessive carriage returns for clarity only
You're on the right track, but the format for like
and case
is wrong.
| eval product=case(like(signature,"%Cipher%"), "Cipher/Protocol/Cert" , like(signature,"%Apache%"), "Apache",1=1,"Unknown")
In full:
|eval product=case(
like(signature,"%Cipher%") , "Cipher/Protocol/Cert",
like(signature,"%SMBv2 signing%"), "Cipher/Protocol/Cert",
like(signature,"%Diffie-Hellman%") , "Cipher/Protocol/Cert",
like(signature,"%Weak Cryptographic%"), "Cipher/Protocol/Cert",
like(signature,"%SHA-%") , "Cipher/Protocol/Cert",
like(signature,"%SWEET32%"), "Cipher/Protocol/Cert",
like(signature,"%TLS/SSL%"), "Cipher/Protocol/Cert",
like(signature,"%Certificate Is Invalid%"), "Cipher/Protocol/Cert",
like(signature,"%protocol%"), "Cipher/Protocol/Cert",
like(signature, "%Java%"), "Java",
like(signature ,"%Apache%"), "Apache",
like(signature , "%Apple%"), "Apple",
like(signature ,"%Cisco%"), "Cisco",
match(signature, "[M][S][0-9][0-9][-][0-9][0-9][0-9]"), "test",
1=1, "Unknown"
)
| search product=test
| dedup signature
| table signature product
Excessive carriage returns for clarity only
Thank You