Splunk Enterprise Security

Field Extraction - Nothing is happening

celdridge1988
Engager

To cut a long story short, i'm looking to extract a CVE number for my Vulnerabilities Data Model for ES.
An example of the field I want to extract from is:
plugin_name: Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2020-0674)
I want to create a field called 'cve' which extracts CVE-2020-0674.
If I rex this is a search, it is fine

| rex field=_raw "\((?<cve>CVE[\w-]+)"

If I add this as an extracted field by editing props.conf (as shown below) then nothing gets extracted. Does anyone know why?

[source:type]
EXTRACT-cve = (?<cve>CVE[\w-]+)
0 Karma

nickhills
Ultra Champion

Dont forget the double :: when defining props stanzas that apply to a 'source':

  [source::/some/source]
     EXTRACT-cve = (?<cve>CVE[\w-]+)

{note: edited for clairty}

If my comment helps, please give it a thumbs up!
0 Karma

nickhills
Ultra Champion

Can you give us the entire stanza from props.conf?

If my comment helps, please give it a thumbs up!
0 Karma

celdridge1988
Engager
[nessus:scan]
EXTRACT-cve = \((?<cve>CVE[\w-]+)

I've created a props.conf in a 'local' folder in the TA so thats all thats in that file.

0 Karma

nickhills
Ultra Champion

Also - just picking up on this sentance:

I've created a props.conf in a 'local' folder in the TA so thats all thats in that file.

Is that TA (App) shared globally on the searchhead?
In order for your extraction to be available in another app, you need to make sure that it is shared globally.

If you had a TA, which is not 'visible' in your apps list on the SH, unless global, you will never be in that apps context so your extractions wont be visible from say 'search and reporting' or any other app.

If my comment helps, please give it a thumbs up!
0 Karma

nickhills
Ultra Champion

Ah ok, confusion with "source" vs "sourcetype"

If your props stanza is a source you must use
[source::/var/log/mylog]

if it's a sourcetype you just use the sourcetype name which in your case is nessus:scan, so
[nessus:scan]
is correct.

Out of interest, how are you collecting logs from nessus - are you using an app to collect data from Security Centre via the API? (if so which one)

If my comment helps, please give it a thumbs up!
0 Karma

nickhills
Ultra Champion

Sorry - hit submit too early...

The reason I ask, is that i suspect the logs are being imported as json, which means that raw event may look different to what you see rendered as events in the UI

Could you try (?<cve>CVE[^)]+) as the regex instead?

If my comment helps, please give it a thumbs up!
0 Karma

pramit46
Contributor

I see you have not added the exact string in the props. Can you just copy the regex string within the "" and then try?

I mean try adding: \((?<cve>CVE[\w-]+)

0 Karma

celdridge1988
Engager

Hi, thanks for such a quick response. No change unfortunately. I've added the :: mentioned here as well (which I've not seen used before).
Very strange, I've never had issues with this before. Maybe something it doesn't like in the regex?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...