![]() ![]() ?specifies the name of the field that the captured value will be assigned to. Here is my regular expression to extract the password. The value immediately after that is the password value that I want to extract for my analysis. The passwd= string is a literal string, and I want to find exactly that pattern every time. I have highlighted a couple of items of interest to work with. ![]() In the code below, I show the value of the form_data field. So how did that happen? How did this new field appear, you ask? Let's break this down. Now we can perform operations on this new field, such as stats, discussed in John Stoner's excellent blog post: " I Need To Do Some Hunting. Cool, huh? Now when I look at the results.lo and behold, I have a new field called “pass”! Notice that we use the rex command against the form_data field and then create a NEW field called pass? The “gibberish” in the middle is our regular expression-or “regex”-that pulls that data from the “form_field”. This will create a “pass” field that you can then search for unencrypted passwords in its value. In this one event you can see an unencrypted password-something you never want to see in your web logs! In order to find out how widespread this unencrypted password leakage is, you’ll need to create a search using the rex command. As you start your analysis, you may start by hunting in wire data for http traffic and come across a field in your web log data called form_data. ![]() ![]() As a hunter, you’ll want to focus on the extraction capability.Īs an example, you may hypothesize that there are unencrypted passwords being sent across the wire and that you want to identify and extract that information for analysis. The rex command allows you to substitute characters in a field (which is good for anonymization) as well as extracting values and assigning them to a new field. Splunk offers two commands ( rex and regex) in SPL that allow Splunk analysts to utilize regular expressions in order to assign values to new fields or narrow results on the fly as part of their search. However, on occasion, some valuable nuggets of information are not assigned to a field by default and as an analyst, you’ll want to hunt for these treasures. Additionally, Splunk can pull out the most interesting fields for any given data source at search time. With Splunk, all logs are indexed and stored in their complete form (.compared to some *ahem* lesser platforms that only store certain fields). “But stop,” you say, “Splunk uses fields!” When working with ASCII data and trying to find something buried in a log, it's invaluable. Regular Expression-or "gibberish” to the uninitiated-is a compact language that allows analysts to define a pattern in text. This function can be very useful in a number of situations where the text you need is embedded within a larger block of text.This is part eight of the " Hunting with Splunk: The Basics" series. Match groups can be accessed by other actions in the playbook by referencing oup_name, which you will see in some of our examples. We expect that the groupdict data path will be used far more often, but both are available for any times where the list might be needed instead. The outputs are provided as a list in the groups data path, and as a dictionary in the groupdict data path. Regex flags are supported using the standard Python syntax for them, which we’ll outline in our examples. We’re utilizing re.search rather than re.match as a convenience to anyone using the function the difference is that re.match forces the pattern to match at the start of the input, whereas re.search can apply to any part of the input. The function takes two inputs– input_text and regex –and outputs two data paths: groups and groupdict. Let’s jump right into reviewing the code:Īs you can see, there’s not a lot to this function. It supports all of the features of the Python regular expression library, and it will return groups to you as both numbered groups and as named groups. This function does what you’d expect it to do–given a string and a regular expression, it returns the matches to you. We’re going to open the series with a particularly versatile function, aptly named extract_regex. The sky’s the limit when it comes to what you can do in Phantom, but often the limiting factor is whether the actions and functions exist in Phantom to do what you want and, if not, whether you have the Python skills necessary to create them. In this series, we’re going to explore a number of useful custom functions we’ve built at Hurricane Labs in order to increase the accessibility of playbook development. Welcome to the Phantom Function blog collection’s inaugural post. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |