All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Add-on for Symantec Endpoint Protection: Canned field extractions not working

alexlomas
Path Finder
‎07-30-2015 06:10 AM

I found that the canned extractions for [field_extraction_for_agt_risk] and [field_extraction_for_agt_behavior] were not working with Splunk 6.2.3 and SEP manager v 12.1.4104.4130.

It looks like the last couple of fields for each were missing, in my case that's category_set, category_type, File_Size & Device_ID. I modified the regexes as below to make the last two fields optional. The pre-built dashboards now work correctly. I don't know if "something" is wrong in the versions, regexes, or logfiles themeselves, but if the developer sees this perhaps they can comment 🙂

[field_extraction_for_agt_behavior]
REGEX = (\s*'[^']*'|\s*[^,]*)(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1})?
FORMAT = Severity::$2 Host_Name::$3 Action::$4 Description::$5 API::$6 Begin_Time::$7 End_Time::$8 Rule_Name::$9 Caller_Process_ID::$10 Caller_Process_Name::$11 Return_Address::$12 Return_Module::$13 Parameter::$14 User_Name::$15 Domain_Name::$16 Action_Type::$17 File_Size::$18 Device_ID::$19

[field_extraction_for_agt_risk]
REGEX = (\s*'[^']*'|\s*"[^"]*"|\s*[^,]*)(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1},Application\sversion:\s(.*),Application\stype:([^,]*)(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1})?
FORMAT = Risk_Action::$2 IP_Address::$3 Computer_Name::$4 Source::$5 Risk_Name::$6 Occurrences::$7 File_Path::$8 Description::$9 Actual_Action::$10 Requested_Action::$11 Secondary_Action::$12 Event_Time::$13 Event_Insert_Time::$14 End_Time::$15 Last_Update_Time::$16 Domain_Name::$17 Group_Name::$18 Server_Name::$19 User_Name::$20 Source_Computer_Name::$21 Source_Computer_IP::$22 Disposition::$23 Download_site::$24 Web_domain::$25 Downloaded_by::$26 Prevalence::$27 Confidence::$28 URL_Tracking_Status::$29 First_Seen::$31 Sensitivity::$32 Reason_for_white_listing::$33 Application_Hash::$34 Hash_Type::$35 Company_Name::$36 Application_Name::$37 Application_Version::$38 Application_Type::$39 File_Size::$40 Category_set::$41 Category_type::$42
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mreynov_splunk
Splunk Employee
Splunk Employee
‎07-30-2015 02:06 PM

Alright, I guess it IS a bug and we will fix in the next release. The difference must stem from a difference in SEP configuration.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mreynov_splunk
Splunk Employee
Splunk Employee
‎07-30-2015 02:06 PM

Alright, I guess it IS a bug and we will fix in the next release. The difference must stem from a difference in SEP configuration.

0 Karma
Reply
Solved! Jump to solution

alexlomas
Path Finder
‎07-30-2015 02:08 PM

OK - let me know if you want file samples offline.

0 Karma
Reply
Solved! Jump to solution

mreynov_splunk
Splunk Employee
Splunk Employee
‎07-30-2015 02:14 PM

woud love some samples. thanks!

0 Karma
Reply
Solved! Jump to solution

alexlomas
Path Finder
‎07-31-2015 12:27 AM

Not quite sure how to mail them over - we have a support contract so if you can see me in the CRM you can pull out my email address I guess.

0 Karma
Reply
Solved! Jump to solution

mreynov_splunk
Splunk Employee
Splunk Employee
‎07-30-2015 01:53 PM

A new reply to an answer on Splunk Add-on for Symantec Endpoint Protection: Canned field extractions not working was posted by alexlomas on Splunk Answers:

Awesome - are any of the other field extractions affected?

On a semi-related topic: how is the malware lookup supposed to work? Or rather, in which reports/panels is it used?

I might have been too hasty, please respond to question below to clarify.

re: malware lookup - it is used to map to CIM category field. TA is focused on getting data into Splunk and does not come with built in visual components. If you have ES, this data will show up in Malware related dashboards.

0 Karma
Reply
Solved! Jump to solution

mreynov_splunk
Splunk Employee
Splunk Employee
‎07-30-2015 01:45 PM

To confirm: the fields were not being extracted or missing in your logs?

0 Karma
Reply
Solved! Jump to solution

alexlomas
Path Finder
‎07-30-2015 02:03 PM

The fields are not in the logs - I modified the extractions to make the last two fields for both files optional with a (?: ... )?

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...