Splunk Search

transforms to extract fieldname and value from cb ioc fields

Motivator

I have a transform setup which seems simple enough, but does not seem to be working at all:
regex101 says that the regex matches the two fields with parentheses. The setup through the Splunk transforms gui is as follows:

ioc
ioc_type='([^']+)'\s+ioc_value='([^']+)
_raw
$1::$1
multivalue unchecked
clean unchecked

Sample anonymized data with each of the four ioc_type values follows:

Jul 29 15:13:08 0.0.0.0 [5091] <warning> reason=feed.storage.hit type=event process_guid=00000329-0000-1bd0-01d0-c9d7b1a7dad0 segment_id=1 host='xxx-xxxx' comms_ip='0.0.0.0' interface_ip='0.0.0.0' sensor_id=809 feed_id=17 feed_name='fireeye' ioc_type='ipv4' ioc_value='0.0.0.0' direction='Outbound' protocol='TCP' port='80' timestamp='1438182765.08' start_time='2015-07-29T08:22:22.946Z' group='Default Group' process_md5='0b5673e14d06e57de45c4bae2cfdf292' process_name='firefox.exe' process_path='c:\program files (x86)\mozilla firefox\firefox.exe' last_update='2015-07-29T15:10:04.853Z' alliance_data_fireeye='['241945', '241953', '241954', '241957', '240593', '241886', '241867', '240593', '241867', '241886', '241945', '241953', '241954', '241957']' alliance_link_fireeye='https://0.0.0.0/event_stream/events_for_bot?ev_id=240593&lms_iden=00:25:90:5B:00:50' alliance_updated_fireeye='2015-07-21T18:56:21.000Z' alliance_score_fireeye='100'          0b5673e14d06e57de45c4bae2cfdf292             
Jul 29 14:12:16 0.0.0.0 [5091] <warning> reason=feed.ingress.hit type=event process_guid=00000620-0000-3268-01d0-ca0865e147fa host='xxx-xxxx' sensor_id=1568 feed_id=4 feed_name='virustotal' ioc_type='md5' ioc_value='7c6d524c78a1722ad987b9e47ac1fee2' timestamp='1438178913.41'                      
Jul 29 03:27:49 0.0.0.0 [5091] <warning> reason=feed.storage.hit type=event process_guid=000006fa-0000-0cd8-01d0-c9a3786d0ff9 segment_id=1 host='xxx-xxxx' comms_ip='0.0.0.0' interface_ip='0.0.0.0' sensor_id=1786 feed_id=17 feed_name='fireeye' ioc_type='dns' ioc_value='www.dropbox.com' direction='Outbound' protocol='TCP' local_ip='0.0.0.0' dns_name='www.dropbox.com' remote_port='443' local_port='63386' port='443' remote_ip='0.0.0.0' timestamp='1438140459.52' start_time='2015-07-29T02:08:33.101Z' group='Default Group' process_md5='f58b9d451c467b2bad88c7a8bbd5c285' process_name='chrome.exe' process_path='c:\program files (x86)\google\chrome\application\chrome.exe' last_update='2015-07-29T03:25:16.742Z' alliance_data_fireeye='3781' alliance_link_fireeye='https://0.0.0.0/malware_analysis/analyses?maid=3781&lms_iden=0C:C4:7A:31:BA:E6' alliance_updated_fireeye='2015-07-10T11:36:20.000Z' alliance_score_fireeye='75'            f58b9d451c467b2bad88c7a8bbd5c285             
Jul 28 11:10:12 0.0.0.0 [5091] <warning> reason=feed.storage.hit type=event process_guid=000000e1-0000-43c0-01d0-c9202df6c1e9 segment_id=1 host='xxx-xxxx' comms_ip='0.0.0.0' interface_ip='0.0.0.0' sensor_id=225 feed_id=8 feed_name='bit9suspiciousindicators' ioc_type='query' ioc_value='{"index_type": "events", "search_query": "cb.urlver=1&q=(process_name%3Aiexplore.exe%20OR%20process_name%3Afirefox.exe%20OR%20process_name%3Achrome.exe%20OR%20process_name%3Aacrord32.exe%20OR%20process_name%3Ajava.exe%20OR%20process_name%3Ajavaw.exe)%20AND%20childproc_name%3Acmd.exe&cb.q.os_type=(os_type%3A%22windows%22)"}' timestamp='1438081591.35' start_time='2015-07-28T10:28:44.102Z' group='Default Group' process_md5='658633d255fef154ea1cb8705b4468c5' process_name='java.exe' process_path='c:\users\xxx\appdata\local\temp\barco control room management suite\jre1.7.0_45\bin\java.exe' last_update='2015-07-28T10:28:45.119Z' alliance_link_bit9suspiciou...

I am expecting to see:

ipv4=0.0.0.0
md5=7c6d524c78a1722ad987b9e47ac1fee2
dns=www.dropbox.com
query={"index_type": "events", "search_query": "cb.urlver=1&q=(process_name%3Aiexplore.exe%20OR%20process_name%3Afirefox.exe%20OR%20process_name%3Achrome.exe%20OR%20process_name%3Aacrord32.exe%20OR%20process_name%3Ajava.exe%20OR%20process_name%3Ajavaw.exe)%20AND%20childproc_name%3Acmd.exe&cb.q.os_type=(os_type%3A%22windows%22)"}

Instead, I do not see any of those fields. The permissions are set to global. Any suggestions?

0 Karma
1 Solution

Motivator

It turns out that the best transforms don't actually do anything until they are called by a props entry: field extractions:type=uses transforms through the gui menu configuration It works now that the transforms are being called by the props.

View solution in original post

0 Karma

Motivator

It turns out that the best transforms don't actually do anything until they are called by a props entry: field extractions:type=uses transforms through the gui menu configuration It works now that the transforms are being called by the props.

View solution in original post

0 Karma

Motivator

I just realized that I may need to create a props entry to call the transforms, don't I?

0 Karma

Motivator

confirmed working now that the props have been added.

0 Karma