Hi,
I am having the following event and I am trying to extract the URI and FileSHA256 field, but not using the search tab(with rex command). Would you please assist me on this matter?Thank you.
Jan 29 14:12:48 2020-01-29T12:13:38Z asa-internet-primary-sourcefire3d (null) %NGIPS-1-430005: DeviceUUID: , SrcIP: 10.239.54.213, DstIP: , SrcPort: 15808, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: ebf3e7290b8fd1e5509caa69335251f22b61baf3f9ff87b4e8544f3c1fea279d, SHA_Disposition: Clean, SperoDisposition: Spero detection not performed on file, ThreatName: Unknown, FileName: , FileType: MSCAB, FileSize: 7796, ApplicationProtocol: HTTP, Client: Microsoft CryptoAPI, WebApplication: Microsoft Update, User: No Authentication Required, FirstPacketSecond: 2020-01-29T12:13:38Z, FilePolicy: AMP-Policy, ArchiveFileName: , ArchiveFileStatus: Extracted, Context: admin, URI: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/
| makeresults
| eval _raw="Jan 29 14:12:48 2020-01-29T12:13:38Z asa-internet-primary-sourcefire3d (null) %NGIPS-1-430005: DeviceUUID: , SrcIP: 10.239.54.213, DstIP: , SrcPort: 15808, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: ebf3e7290b8fd1e5509caa69335251f22b61baf3f9ff87b4e8544f3c1fea279d, SHA_Disposition: Clean, SperoDisposition: Spero detection not performed on file, ThreatName: Unknown, FileName: , FileType: MSCAB, FileSize: 7796, ApplicationProtocol: HTTP, Client: Microsoft CryptoAPI, WebApplication: Microsoft Update, User: No Authentication Required, FirstPacketSecond: 2020-01-29T12:13:38Z, FilePolicy: AMP-Policy, ArchiveFileName: , ArchiveFileStatus: Extracted, Context: admin, **URI: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/**";
| eval _raw=split(_raw,","), _counter=mvrange(0,mvcount(_raw)) , raw=mvzip(_counter,_raw)
| stats count as session by raw
| sort raw
| rex field=raw mode=sed "s/\*\*//g"
| rex field=raw "(?<time>\w+ \d+ \d+:\d+:\d+) (?<atime>\S+)" | eval atime=strptime(replace(atime,"Z"," +0000"),"%FT%T %z")
| eval raw=if(isnull(atime),raw,NULL)
| rex field=raw "(?<fieldname>\w+:)\s?(?<value>.+)"
| eval {fieldname} = value
| fields - raw fieldname value
| stats values(*) as *
Hi, How about this?
Hi
Try this
| makeresults
| eval temp="Jan 29 14:12:48 2020-01-29T12:13:38Z asa-internet-primary-sourcefire3d (null) %NGIPS-1-430005: DeviceUUID: , SrcIP: 10.239.54.213, DstIP: , SrcPort: 15808, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: ebf3e7290b8fd1e5509caa69335251f22b61baf3f9ff87b4e8544f3c1fea279d, SHA_Disposition: Clean, SperoDisposition: Spero detection not performed on file, ThreatName: Unknown, FileName: , FileType: MSCAB, FileSize: 7796, ApplicationProtocol: HTTP, Client: Microsoft CryptoAPI, WebApplication: Microsoft Update, User: No Authentication Required, FirstPacketSecond: 2020-01-29T12:13:38Z, FilePolicy: AMP-Policy, ArchiveFileName: , ArchiveFileStatus: Extracted, Context: admin, **URI: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/**";
| rex field=temp "FileSHA256:\s+(?P<FileSHA256>[^,]+).+URI:\s+(?P<URI>.+)$"