Splunk Search

What end of anchor parameter to use for the Symantec event?

jwalzerpitt
Influencer

I am trying to figure out what end of the anchor parameter to use for the Symantec event.

Here is a snippet of the Symantec event:

Application hash: 4a3c0caeaf4bef6a170e3d031f7181901464ff8271639bab1641465e6f97e000,Hash type: SHA2,Company name: ,Application name: Mac Cleanup Pro,Application version: ,Application type: -1,File size (bytes): 196640,Category set: Security risk,Category type: UNKNOWN,Location: ,Intensive Protection Level: 0,Certificate issuer: ,Certificate signer: ,Certificate thumbprint: ,Signing timestamp: 0,Certificate serial number:

Here is my regex:

(?:Application\shash:\s*(?<Application_Hash>[^"]+)),?(?:Hash\stype:\s*(?<Hash_type>[^"]+)),?(?:Application\sname:\s*(?<Application_name>[^"]+)),?(?:Application\sversion:\s*(?<Applciation_version>[^"]+)),?(?:File\ssize\s\(bytes\)\s*(?<File_size>[^"]+)),?(?:Category\sset:\s*(?<Category_set>[^"]+)),?(?:Category\stype:\s*(?<Category_type>[^"]+)),?(?:Location:\s*(?<Location>[^"]+)),?(?:Intensive\sProtection\sLevel:\s*(?<Intensive_Protection_Level>[^"]+)),?(?:Certificate\sissuer:\s*(?<Certificate_Issuer>[^"]+)),?(?:Certificate\ssigner:\s*(?<Certificate_Signer>[^"]+)),?(?:Certificate\sthumbprint:\s*(?<Certificate_Thumbprint>[^"]+)),?(?:Signing\stimestamp:\s*(?<Signing_Timestamp>[^"]+)),?(?:Certificate\sserial\snumber:\s*(?<Certificate_Serial_Number>[^"]+))\z

I tried '$' and '\Z', but no luck getting the entire regex to match. If I leave the end of my regex as:

?(?:Certificate\sserial\snumber:\s*(?<Certificate_Serial_Number>[^"]+))?

The Group Signing_Timestamp is 0,Certificate serial number: so I know the regex is working up till the very end

Any help would be appreciated.

Thank you.

0 Karma
1 Solution

rbechtold
Communicator

Hey Jwalzerpitt!

I can't remember why, but I've worked with this same symantec extraction before. I went ahead and found it and made it work for your data.

This should work for the dataset you provided:

(?:Application\shash:\s*(?<Application_Hash>[^%\,]+))?,\s*(?:Hash\stype:\s*(?<Hash_Type>[^%\,]+))?,\s*(?:Company\sname:\s*(?<Company_Name>[^\,]+))?,\s*(?:Application\sname:(?<Application_Name>[^%\,]+))?,(?:Application\sversion:\s*(?P<Application_Version>[^\,]+))?,\s*(?:Application\stype:\s*(?<Application_Type>[^%\,]+))?,\s*(?:File\ssize\s\(bytes\):\s*(?<File_Size>[^%\,]+))?(?:,\s*Category\sset:\s*(?<Category_Set>[^%\,]+),\s*Category\stype:\s*(?<Category_Type>[^%\,]+))?,?\s*(?:Location:\s*(?<Location>[^%\,]+))?\,(?:Intensive\sProtection\sLevel:\s*(?<Intensive_Protection_Level>[^%\,]+))?,?\s*(?:Certificate\sissuer:\s*(?<Certificate_Issuer>[^%\,]+))?,?\s*(?:Certificate\ssigner:\s*(?<Certificate_Signer>[^%\,]+))?,?\s*(?:Certificate\sthumbprint:\s*(?<Certificate_Thumbprint>[^%\,]+))?,?\s*(?:Signing\stimestamp:\s*(?<Signing_Timestamp>[^%\,]+))?,?\s*(?:Certificate\sserial\snumber:\s*(?<Certificate_Serial_Number>.*?(?:[^%\,]+|$|\z)))

Also, you might find some use out of the extract command. The dataset you provided is consistantly in a "FIELD:VALUE," format.

Give the extract command a try to see if it works to accomplish your goal like this:

...BASE SEARCH...
| extract kvdelim=":" pairdelim=","

If you run into any problems let me know and I'm happy to help.

View solution in original post

rbechtold
Communicator

Hey Jwalzerpitt!

I can't remember why, but I've worked with this same symantec extraction before. I went ahead and found it and made it work for your data.

This should work for the dataset you provided:

(?:Application\shash:\s*(?<Application_Hash>[^%\,]+))?,\s*(?:Hash\stype:\s*(?<Hash_Type>[^%\,]+))?,\s*(?:Company\sname:\s*(?<Company_Name>[^\,]+))?,\s*(?:Application\sname:(?<Application_Name>[^%\,]+))?,(?:Application\sversion:\s*(?P<Application_Version>[^\,]+))?,\s*(?:Application\stype:\s*(?<Application_Type>[^%\,]+))?,\s*(?:File\ssize\s\(bytes\):\s*(?<File_Size>[^%\,]+))?(?:,\s*Category\sset:\s*(?<Category_Set>[^%\,]+),\s*Category\stype:\s*(?<Category_Type>[^%\,]+))?,?\s*(?:Location:\s*(?<Location>[^%\,]+))?\,(?:Intensive\sProtection\sLevel:\s*(?<Intensive_Protection_Level>[^%\,]+))?,?\s*(?:Certificate\sissuer:\s*(?<Certificate_Issuer>[^%\,]+))?,?\s*(?:Certificate\ssigner:\s*(?<Certificate_Signer>[^%\,]+))?,?\s*(?:Certificate\sthumbprint:\s*(?<Certificate_Thumbprint>[^%\,]+))?,?\s*(?:Signing\stimestamp:\s*(?<Signing_Timestamp>[^%\,]+))?,?\s*(?:Certificate\sserial\snumber:\s*(?<Certificate_Serial_Number>.*?(?:[^%\,]+|$|\z)))

Also, you might find some use out of the extract command. The dataset you provided is consistantly in a "FIELD:VALUE," format.

Give the extract command a try to see if it works to accomplish your goal like this:

...BASE SEARCH...
| extract kvdelim=":" pairdelim=","

If you run into any problems let me know and I'm happy to help.

jwalzerpitt
Influencer

Thx a million for the regex help, and even better, the extract command as that worked perfectly!

Thx again

richgalloway
SplunkTrust
SplunkTrust

The regex is not looking for the "Company name" field. Also, It expects each field to end with ", but there are no quotes in the sample data.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...