This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

regex in ESI tool to catch meta

KamilBernas
Beginner
Beginner

‎2017-03-16 10:34 AM

hi,

here is the log

 

%ePolicy-2-1092: 11940911^^HISE^^2017-02-11 13:36:40.217^^2017-02-11 11:14:23.000^^ENDP_AM_1050^^McAfee Endpoint Security^^11.3.0^^LCT-NB-WAKLI-01^^122.118.1.31^^NULL^^NULL^^Access Protection^^NULL^^122.318.8.41^^RCH-CB-KLAS-01^^142.245.1.12^^SYSTEM^^NULL^^NULL^^NULL^^HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FLASHUTIL32_25_0_0_127_PEPPER.EXE\^^hip.registry^^1092^^2^^Hijacking .EXE or other executable extensions^^IDS_THREAT_TYPE_VALUE_AP^^blocked^^1

 

I need to parse it. now filename = HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FLASHUTIL32_25_0_0_127_PEPPER.EXE

 

I would like only FLASHUTIL32_25_0_0_127_PEPPER.EXE be present as filename meta and rest discarded. How I can achieve it in ESI tool?

 

regards

0 Likes
3 REPLIES 3

MarcinGryga
Beginner
Beginner

‎2017-05-11 10:47 AM

Hi,

 

Maybe someone has a guide how to use regex in ESI tool ?

 

Regards

M.

0 Likes

SravanKoneti1
Beginner
Beginner

‎2017-08-10 05:29 AM

Hi Kamil,

 

What is the device type? 

0 Likes

JoeGumke
Beginner
Beginner

‎2017-08-10 09:32 PM

RSA Netwitness parsing engine unfortunately doesnt support regular expression .If you find the need for leveraging regex in logs, you would probably have to use LUA parsers to help supplement whatever you doing.

 

HOWEVER -- In your case, you might be in luck, by leveraging EITHER A) options fields in the epolicy parser

 

OR

 

B) using the log decoder settings to break up the fields. See below to configure your log decoder to split this up.

 

NOTE : that your field in question already parsers out to filename. So this ...should work, I havent tested it.

 

But per the settings below, it should break up the filename, and parser fields into directory and extension as well.

 

Log Decoder >> explorer
    navigate the tree structure for ;
        decoderNAME > decoder > parsers > config
        
    There should be a filename.meta field that you can flip for the following settings .
    
    0 - filename meta with full path
    1 - dir and filename meta
    2 - dir, filename, and fileext meta
    3 - fileext meta only

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.