Splunk Enterprise Security

Field Extraction - Nothing is happening

celdridge1988
Engager

To cut a long story short, i'm looking to extract a CVE number for my Vulnerabilities Data Model for ES.
An example of the field I want to extract from is:
plugin_name: Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2020-0674)
I want to create a field called 'cve' which extracts CVE-2020-0674.
If I rex this is a search, it is fine

| rex field=_raw "\((?<cve>CVE[\w-]+)"

If I add this as an extracted field by editing props.conf (as shown below) then nothing gets extracted. Does anyone know why?

[source:type]
EXTRACT-cve = (?<cve>CVE[\w-]+)
0 Karma

nickhills
Ultra Champion

Dont forget the double :: when defining props stanzas that apply to a 'source':

  [source::/some/source]
     EXTRACT-cve = (?<cve>CVE[\w-]+)

{note: edited for clairty}

If my comment helps, please give it a thumbs up!
0 Karma

nickhills
Ultra Champion

Can you give us the entire stanza from props.conf?

If my comment helps, please give it a thumbs up!
0 Karma

celdridge1988
Engager
[nessus:scan]
EXTRACT-cve = \((?<cve>CVE[\w-]+)

I've created a props.conf in a 'local' folder in the TA so thats all thats in that file.

0 Karma

nickhills
Ultra Champion

Also - just picking up on this sentance:

I've created a props.conf in a 'local' folder in the TA so thats all thats in that file.

Is that TA (App) shared globally on the searchhead?
In order for your extraction to be available in another app, you need to make sure that it is shared globally.

If you had a TA, which is not 'visible' in your apps list on the SH, unless global, you will never be in that apps context so your extractions wont be visible from say 'search and reporting' or any other app.

If my comment helps, please give it a thumbs up!
0 Karma

nickhills
Ultra Champion

Ah ok, confusion with "source" vs "sourcetype"

If your props stanza is a source you must use
[source::/var/log/mylog]

if it's a sourcetype you just use the sourcetype name which in your case is nessus:scan, so
[nessus:scan]
is correct.

Out of interest, how are you collecting logs from nessus - are you using an app to collect data from Security Centre via the API? (if so which one)

If my comment helps, please give it a thumbs up!
0 Karma

nickhills
Ultra Champion

Sorry - hit submit too early...

The reason I ask, is that i suspect the logs are being imported as json, which means that raw event may look different to what you see rendered as events in the UI

Could you try (?<cve>CVE[^)]+) as the regex instead?

If my comment helps, please give it a thumbs up!
0 Karma

pramit46
Contributor

I see you have not added the exact string in the props. Can you just copy the regex string within the "" and then try?

I mean try adding: \((?<cve>CVE[\w-]+)

0 Karma

celdridge1988
Engager

Hi, thanks for such a quick response. No change unfortunately. I've added the :: mentioned here as well (which I've not seen used before).
Very strange, I've never had issues with this before. Maybe something it doesn't like in the regex?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...