- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Regex User name from Symantec logs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are having some issues with extracting fields from our symantec logs. While our team is working through this issue, I would like some help using regex to extract user names.
2020-01-16 08:00:36,Critical,ASPRARWB1,Event Description: [SID: 30413] Web Attack: Passwd File Download Attempt attack blocked. Traffic has been blocked for this application: C:\WINDOWS\SYSTEM32\INETSRV\W3WP.EXE,Local Host IP: 127.0.0.1,Local Host MAC: 000000000000,Remote Host Name: ,Remote Host IP: 127.0.0.1,Remote Host MAC: 000000000000,Outbound,TCP,Intrusion ID: 0,Begin: 2019-11-27 14:56:07,End: 2019-11-27 14:56:07,Occurrences: 1,Application: C:/WINDOWS/SYSTEM32/INETSRV/W3WP.EXE,Location: Default,User: pxmacct,Domain: DOL,Local Port: 53937,Remote Port: 5112,CIDS Signature ID: 30413,CIDS Signature string: Web Attack: Passwd File Download Attempt,CIDS Signature SubID: 74503,Intrusion URL: www.arppapi.dol.ks.gov/cgi-bin/ion-p.exe?page=../../../../../etc/passwd,Intrusion Payload URL: ,SHA-256: 6CD7CC4B72DB91F168C36C500C1BE9AE391C1FF09CD65295BB24267D35373FD9,MD-5:
2020-01-16 08:00:31,Critical,ASPRARWB1,Event Description: [SID: 20521] Web Attack: SGI InfoSearch fname Exec CVE-2000-0207 attack blocked. Traffic has been blocked for this application: C:\WINDOWS\SYSTEM32\INETSRV\W3WP.EXE,Local Host IP: 127.0.0.1,Local Host MAC: 000000000000,Remote Host Name: ,Remote Host IP: 127.0.0.1,Remote Host MAC: 000000000000,Outbound,TCP,Intrusion ID: 0,Begin: 2019-11-27 14:56:01,End: 2019-11-27 14:56:01,Occurrences: 1,Application: C:/WINDOWS/SYSTEM32/INETSRV/W3WP.EXE,Location: Default,User: pxmacct,Domain: DOL,Local Port: 53933,Remote Port: 5112,CIDS Signature ID: 20521,CIDS Signature string: Web Attack: SGI InfoSearch fname Exec CVE-2000-0207,CIDS Signature SubID: 75437,Intrusion URL: www.arppapi.dol.ks.gov/cgi-bin/infosrch.cgi?cmd=getdoc&db=man&fname=|/bin/id,Intrusion Payload URL: ,SHA-256: 6CD7CC4B72DB91F168C36C500C1BE9AE391C1FF09CD65295BB24267D35373FD9,MD-5:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can try this:
| rex "User\:\s(?<user>[^\,]+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That worked perfectly. Thank you.
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
