Splunk Enterprise Security

Splunk Enterprise Security: Pulling data from message field

Hegemon76
Communicator

Hello,

I have been trying unsuccessfully parse/filter the data from the message field:

Message= Spyware/Grayware: HackTool.VBS.InviBat. AComputer: PATELS-E7470Domain: Adgrouping\Corp.root.ipc.com\Na\Myhnj\Workstations\WINDOWS 7\Date/Time: 8/7/2019 12:04:21Result: Further action required

Specifically the bolded part. Essentially what I need to do is remove the "threat event" from Trend Micro logs coming into the SIEM. I was able to do this with the following string but the requirement changes in terms of what we are trying to do with these events once they are parsed/filtered (regex or the line you will see below assuming I even did that correctly).

| eval Message=split(Message,".") | eval Short_Message=mvindex(Message,0,2) | table Short_Message

I suspect the Spyware/Grayware may change but I would really like to get either both the segment containing Spyware/Grayware: "threat name" or just the "threat name" somehow. Once that is accomplished I want to create an alert for ten threat events with the same name within 24 hours and another alert when the same machine gets 10 events within 24 hours.

I know I can do this with something like:

|where match(message,"Spyware") |transaction  | search eventcount>=20 

Keep in mind...I was trying this on the line above and apparently, you cannot use transaction command with eval commands?

Any help would be appreciated!

0 Karma
1 Solution

jawaharas
Motivator

Try this -

| makeresults
| eval message="Spyware/Grayware: HackTool.VBS.InviBat. AComputer: PATELS-E7470Domain: Adgrouping\Corp.root.ipc.com\Na\Myhnj\Workstations\WINDOWS 7\Date/Time: 8/7/2019 12:04:21Result: Further action required"
| rex field=message "(?<threat_type>[^:]*):\s(?<threat_name>[^\s]*)"
| eval threat=threat_type . ": " . threat_name
| table message, threat_type, threat_name, threat

View solution in original post

0 Karma

jawaharas
Motivator

Try this -

| makeresults
| eval message="Spyware/Grayware: HackTool.VBS.InviBat. AComputer: PATELS-E7470Domain: Adgrouping\Corp.root.ipc.com\Na\Myhnj\Workstations\WINDOWS 7\Date/Time: 8/7/2019 12:04:21Result: Further action required"
| rex field=message "(?<threat_type>[^:]*):\s(?<threat_name>[^\s]*)"
| eval threat=threat_type . ": " . threat_name
| table message, threat_type, threat_name, threat
0 Karma

Hegemon76
Communicator

Hey!

I reached out to a buddy of mine after attempting to utilize the regex extractor/delimitor to no avail and he came up with something very similar.

Message=(?[^:]+):\s(?[^\s]+)

I'm going to use that regex helper online and figure out regex at this point. Makes life easier obviously....

Thanks!

0 Karma

jawaharas
Motivator

Nice. Some cool Splunk recommended RegEx tools can be referred here.

https://wiki.splunk.com/Community:RegexTestingTools

0 Karma

Hegemon76
Communicator

It did not bold for me....

This is the part in question:

Spyware/Grayware: HackTool.VBS.InviBat.

0 Karma

jawaharas
Motivator

If I am not wrong, you have two questions:
1. Extracting the pattern '*Spyware/Grayware: *' from 'Messages' field.
2. Create below alerts-
a. 10 threat events with the same name within 24 hours
b. Same machine gets 10 events within 24 hours

I hope, creating alert won't be problem when you have correct threat pattern. Can you list down possible different type of 'Messages' you get in your log? This will be helpful to extract the 'threat name'.

You can do that by running below query-
[BASE SEARCH]
| dedup Message
| table Message
| head 20

0 Karma

Hegemon76
Communicator

Exactly right but the message field has a bunch of unnecessary information.

I don't need to see all of this:

Message=Spyware/Grayware: HackTool.VBS.InviBat.AComputer: PATELS-E7470Domain: Adgrouping\Corp.root.ipc.com\Na\Myhnj\Workstations\WINDOWS 7\Date/Time: 8/7/2019 12:04:21Result: Further action required

I just want to see this part:

Spyware/Grayware: HackTool.VBS.InviBat.

From there I can orient the data but the parsing part is causing me the issue. I was just attempting to provide an entire picture of the end goal.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...