Hi Everyone,
I am trying to concoct a regular expression in the Splunk App for Enterprise Security to find all SCCM logs that contain dest_name="CN
. The results of the search will be sent to an alternate SIEM solution.
Log example:
"09-01-2015 11:18:59" timestamp=1441120739267, vendor_product="SystemCenterEndpointProtection", type="SecurityIncident", resourceid=67132131, dest_name="CNWSNCHHHD001", dest_nt_domain="REDACTED", detectiontime=1441120739267, actiontime=1441120750000, product_version="4.5.0216.0", detectionid="{REDACTED}", detection_source="realtime", user="REDACTED", target_process="REDACTED", file_path="REDACTED", signature="Virus:DOS/JackTheRipper", severity="Severe", category="Virus", action_type="quarantine", action="deferred", action_result="false", action_error_code=-2147024846, pending_action="noaction"
(Also, sourcetype should be from sccm:malware)
Any assistance to what I may be doing wrong would be greatly appreciated.
Thanks,
Al Wever
In an adhoc search you could just run:
index=<your index> sourcetype=sccm:malware dest_name="CN*"
If you're trying to extract the characters following the CN you could run:
index=<your index> sourcetype=sccm:malware dest_name="CN*" | rex field=dest_name "CN(?<dest_name_uid>[^\"]+)" | table dest_name_uid