Splunk Enterprise Security

How to extract the following fields?

ralucaserbanesc
New Member

Hi,

I am having the following event and I am trying to extract the URI and FileSHA256 field, but not using the search tab(with rex command). Would you please assist me on this matter?Thank you.

Jan 29 14:12:48 2020-01-29T12:13:38Z asa-internet-primary-sourcefire3d (null) %NGIPS-1-430005: DeviceUUID: , SrcIP: 10.239.54.213, DstIP: , SrcPort: 15808, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: ebf3e7290b8fd1e5509caa69335251f22b61baf3f9ff87b4e8544f3c1fea279d, SHA_Disposition: Clean, SperoDisposition: Spero detection not performed on file, ThreatName: Unknown, FileName: , FileType: MSCAB, FileSize: 7796, ApplicationProtocol: HTTP, Client: Microsoft CryptoAPI, WebApplication: Microsoft Update, User: No Authentication Required, FirstPacketSecond: 2020-01-29T12:13:38Z, FilePolicy: AMP-Policy, ArchiveFileName: , ArchiveFileStatus: Extracted, Context: admin, URI: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/

0 Karma

to4kawa
Ultra Champion
| makeresults
| eval _raw="Jan 29 14:12:48 2020-01-29T12:13:38Z asa-internet-primary-sourcefire3d (null) %NGIPS-1-430005: DeviceUUID: , SrcIP: 10.239.54.213, DstIP: , SrcPort: 15808, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: ebf3e7290b8fd1e5509caa69335251f22b61baf3f9ff87b4e8544f3c1fea279d, SHA_Disposition: Clean, SperoDisposition: Spero detection not performed on file, ThreatName: Unknown, FileName: , FileType: MSCAB, FileSize: 7796, ApplicationProtocol: HTTP, Client: Microsoft CryptoAPI, WebApplication: Microsoft Update, User: No Authentication Required, FirstPacketSecond: 2020-01-29T12:13:38Z, FilePolicy: AMP-Policy, ArchiveFileName: , ArchiveFileStatus: Extracted, Context: admin, **URI: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/**";
| eval _raw=split(_raw,","), _counter=mvrange(0,mvcount(_raw)) , raw=mvzip(_counter,_raw)
| stats count as session by raw
| sort raw
| rex field=raw mode=sed "s/\*\*//g"
| rex field=raw "(?<time>\w+ \d+ \d+:\d+:\d+) (?<atime>\S+)" | eval atime=strptime(replace(atime,"Z"," +0000"),"%FT%T %z")
| eval raw=if(isnull(atime),raw,NULL)
| rex field=raw "(?<fieldname>\w+:)\s?(?<value>.+)"
| eval {fieldname} = value
| fields - raw fieldname value
| stats values(*) as *

Hi, How about this?

0 Karma

vnravikumar
Champion

Hi

Try this

| makeresults 
| eval temp="Jan 29 14:12:48 2020-01-29T12:13:38Z asa-internet-primary-sourcefire3d (null) %NGIPS-1-430005: DeviceUUID: , SrcIP: 10.239.54.213, DstIP: , SrcPort: 15808, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: ebf3e7290b8fd1e5509caa69335251f22b61baf3f9ff87b4e8544f3c1fea279d, SHA_Disposition: Clean, SperoDisposition: Spero detection not performed on file, ThreatName: Unknown, FileName: , FileType: MSCAB, FileSize: 7796, ApplicationProtocol: HTTP, Client: Microsoft CryptoAPI, WebApplication: Microsoft Update, User: No Authentication Required, FirstPacketSecond: 2020-01-29T12:13:38Z, FilePolicy: AMP-Policy, ArchiveFileName: , ArchiveFileStatus: Extracted, Context: admin, **URI: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/**"; 
| rex field=temp "FileSHA256:\s+(?P<FileSHA256>[^,]+).+URI:\s+(?P<URI>.+)$"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...