Source: socprime.com – Author: John Stevens
[post-views]
November 25, 2024 · 2 min read
Sometimes when working with new log sources or unfamiliar event records being shipped to Splunk, you’ll encounter logs with important details that could be more useful if you had them captured in a field.
The entirety of the text in an event can be found in the _raw field but specific details found in the event like IP addresses or account names can be further extracted into their own field if you can create a regular expressions pattern to match them.
Extracted fields can be useful in for correlation for example excluding events with extracted IP address fields from a search if those IP addresses belong to a certain network block. Extraction can be done with the rex command.
If you had a log event with raw text that looked like this for example:
Subject:
Security ID: NT AUTHORITY/SYSTEM
Account Name: CONTOSOWORKSTATION$
Account Domain: CONTOSO Logon ID: 0x307
Target Account:
Security ID: NT AUTHORITY/SYSTEM
Account Name: CONTOSOWORKSTATION$
Account Domain: CONTOSO Logon ID: 0x307
Process Information:
Process ID: 0x2a1
Process Name: lsass.exe
Enabled Privileges:
-
Disabled Privileges:
SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege
You could extract all of the disabled privileges into a `disabled_privs` field with a rex command like this one
| rex field=_raw "Subject:[sSt]+(?
every character after “Subject:” followed by spaces, new lines or tabs is matched in the _raw text field is matched and captured in the new field called disabled_privs which would be these values
SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege
Was this article helpful?
Like and share it with your peers.
Related Posts
Original Post URL: https://socprime.com/blog/extracting-fields-in-spl/
Category & Tags: Blog,Knowledge Bits,SIEM,SIEM & EDR,Splunk – Blog,Knowledge Bits,SIEM,SIEM & EDR,Splunk
Views: 2
