Splunk Search

transforms to extract fieldname and value from cb ioc fields

landen99
Motivator

I have a transform setup which seems simple enough, but does not seem to be working at all:
regex101 says that the regex matches the two fields with parentheses. The setup through the Splunk transforms gui is as follows:

ioc
ioc_type='([^']+)'\s+ioc_value='([^']+)
_raw
$1::$1
multivalue unchecked
clean unchecked

Sample anonymized data with each of the four ioc_type values follows:

Jul 29 15:13:08 0.0.0.0 [5091] <warning> reason=feed.storage.hit type=event process_guid=00000329-0000-1bd0-01d0-c9d7b1a7dad0 segment_id=1 host='xxx-xxxx' comms_ip='0.0.0.0' interface_ip='0.0.0.0' sensor_id=809 feed_id=17 feed_name='fireeye' ioc_type='ipv4' ioc_value='0.0.0.0' direction='Outbound' protocol='TCP' port='80' timestamp='1438182765.08' start_time='2015-07-29T08:22:22.946Z' group='Default Group' process_md5='0b5673e14d06e57de45c4bae2cfdf292' process_name='firefox.exe' process_path='c:\program files (x86)\mozilla firefox\firefox.exe' last_update='2015-07-29T15:10:04.853Z' alliance_data_fireeye='['241945', '241953', '241954', '241957', '240593', '241886', '241867', '240593', '241867', '241886', '241945', '241953', '241954', '241957']' alliance_link_fireeye='https://0.0.0.0/event_stream/events_for_bot?ev_id=240593&lms_iden=00:25:90:5B:00:50' alliance_updated_fireeye='2015-07-21T18:56:21.000Z' alliance_score_fireeye='100'          0b5673e14d06e57de45c4bae2cfdf292             
Jul 29 14:12:16 0.0.0.0 [5091] <warning> reason=feed.ingress.hit type=event process_guid=00000620-0000-3268-01d0-ca0865e147fa host='xxx-xxxx' sensor_id=1568 feed_id=4 feed_name='virustotal' ioc_type='md5' ioc_value='7c6d524c78a1722ad987b9e47ac1fee2' timestamp='1438178913.41'                      
Jul 29 03:27:49 0.0.0.0 [5091] <warning> reason=feed.storage.hit type=event process_guid=000006fa-0000-0cd8-01d0-c9a3786d0ff9 segment_id=1 host='xxx-xxxx' comms_ip='0.0.0.0' interface_ip='0.0.0.0' sensor_id=1786 feed_id=17 feed_name='fireeye' ioc_type='dns' ioc_value='www.dropbox.com' direction='Outbound' protocol='TCP' local_ip='0.0.0.0' dns_name='www.dropbox.com' remote_port='443' local_port='63386' port='443' remote_ip='0.0.0.0' timestamp='1438140459.52' start_time='2015-07-29T02:08:33.101Z' group='Default Group' process_md5='f58b9d451c467b2bad88c7a8bbd5c285' process_name='chrome.exe' process_path='c:\program files (x86)\google\chrome\application\chrome.exe' last_update='2015-07-29T03:25:16.742Z' alliance_data_fireeye='3781' alliance_link_fireeye='https://0.0.0.0/malware_analysis/analyses?maid=3781&lms_iden=0C:C4:7A:31:BA:E6' alliance_updated_fireeye='2015-07-10T11:36:20.000Z' alliance_score_fireeye='75'            f58b9d451c467b2bad88c7a8bbd5c285             
Jul 28 11:10:12 0.0.0.0 [5091] <warning> reason=feed.storage.hit type=event process_guid=000000e1-0000-43c0-01d0-c9202df6c1e9 segment_id=1 host='xxx-xxxx' comms_ip='0.0.0.0' interface_ip='0.0.0.0' sensor_id=225 feed_id=8 feed_name='bit9suspiciousindicators' ioc_type='query' ioc_value='{"index_type": "events", "search_query": "cb.urlver=1&q=(process_name%3Aiexplore.exe%20OR%20process_name%3Afirefox.exe%20OR%20process_name%3Achrome.exe%20OR%20process_name%3Aacrord32.exe%20OR%20process_name%3Ajava.exe%20OR%20process_name%3Ajavaw.exe)%20AND%20childproc_name%3Acmd.exe&cb.q.os_type=(os_type%3A%22windows%22)"}' timestamp='1438081591.35' start_time='2015-07-28T10:28:44.102Z' group='Default Group' process_md5='658633d255fef154ea1cb8705b4468c5' process_name='java.exe' process_path='c:\users\xxx\appdata\local\temp\barco control room management suite\jre1.7.0_45\bin\java.exe' last_update='2015-07-28T10:28:45.119Z' alliance_link_bit9suspiciou...

I am expecting to see:

ipv4=0.0.0.0
md5=7c6d524c78a1722ad987b9e47ac1fee2
dns=www.dropbox.com
query={"index_type": "events", "search_query": "cb.urlver=1&q=(process_name%3Aiexplore.exe%20OR%20process_name%3Afirefox.exe%20OR%20process_name%3Achrome.exe%20OR%20process_name%3Aacrord32.exe%20OR%20process_name%3Ajava.exe%20OR%20process_name%3Ajavaw.exe)%20AND%20childproc_name%3Acmd.exe&cb.q.os_type=(os_type%3A%22windows%22)"}

Instead, I do not see any of those fields. The permissions are set to global. Any suggestions?

0 Karma
1 Solution

landen99
Motivator

It turns out that the best transforms don't actually do anything until they are called by a props entry: field extractions:type=uses transforms through the gui menu configuration It works now that the transforms are being called by the props.

View solution in original post

0 Karma

landen99
Motivator

It turns out that the best transforms don't actually do anything until they are called by a props entry: field extractions:type=uses transforms through the gui menu configuration It works now that the transforms are being called by the props.

0 Karma

landen99
Motivator

I just realized that I may need to create a props entry to call the transforms, don't I?

0 Karma

landen99
Motivator

confirmed working now that the props have been added.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...