Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
zargaran Honored Contributor.
Honored Contributor.
275 views

How to extract a specific string from "message" field in ArcSight ESM Console ?

Jump to solution

Hi All

In the "message" filed I have a specific string (Virus Name and hash code). In the ArcSight Logger with the "rex" function, I can extract it very easy. But how can I extract this string from the "message" field in ArcSight ESM Console?

I think the Global/Local Variables is a solution. But How? I haven't any experiences for this case.

###############################################################

message field content example:

Result: Detected: HackTool.Win32.HackAV.bp
User: LOCAL\foo (Active user)
Object: C:\Users\foo\Desktop\Malwarebytes_Premium_3.7.1.2839\Malwarebytes Premium \Crack\Keygen.exe
Reason: Automatic analysis
Database release date: 11/13/2019 7:05:00 AM
Hash: 6ab07188ef43720f78d19fbcbdf31a65768c27fcae0899e9dc96106a5589c574

I want to extract below strings:

  1. "HackTool.Win32.HackAV.bp"
  2. "6ab07188ef43720f78d19fbcbdf31a65768c27fcae0899e9dc96106a5589c574"

###############################################################

Thanks

BR

Amir

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Ajith K S Respected Contributor.
Respected Contributor.

Re: How to extract a specific string from "message" field in ArcSight ESM Console ?

Jump to solution

Hi Amir,

It seems that the event is not being parsed properly. In that case, the better solution would be to parse the logs and map the values to appropriate fields.

You can use local/global variable to extract the required strings, eventhough it's a bit hectic process as you will have to create multiple variables for this purpose. You can do it as given below:

===Malware Name===

Variable 1

Assuming "Detected:" is always present as the value of Result. If not, you will have to find out the index of the second occurrence of ':' and add 1 to that index and then take the substring.

clipboard_image_8.png

Variable 2

clipboard_image_9.png

Variable 3

clipboard_image_10.png

Variable 4

clipboard_image_11.png

Variable 5

clipboard_image_12.png

===Hash===

Variable 1

clipboard_image_5.png

Variable 2

clipboard_image_6.png

Variable 3

clipboard_image_7.png

Regards

Ajith K S

View solution in original post

4 Replies
Highlighted
benh3103 Trusted Contributor.
Trusted Contributor.

Re: How to extract a specific string from "message" field in ArcSight ESM Console ?

Jump to solution

Hello! Just for shure: map-files in this case are unacceptable?

0 Likes
zargaran Honored Contributor.
Honored Contributor.

Re: How to extract a specific string from "message" field in ArcSight ESM Console ?

Jump to solution
I say yes,
if solved this request.
BR
Amir
0 Likes
Ajith K S Respected Contributor.
Respected Contributor.

Re: How to extract a specific string from "message" field in ArcSight ESM Console ?

Jump to solution

Hi Amir,

It seems that the event is not being parsed properly. In that case, the better solution would be to parse the logs and map the values to appropriate fields.

You can use local/global variable to extract the required strings, eventhough it's a bit hectic process as you will have to create multiple variables for this purpose. You can do it as given below:

===Malware Name===

Variable 1

Assuming "Detected:" is always present as the value of Result. If not, you will have to find out the index of the second occurrence of ':' and add 1 to that index and then take the substring.

clipboard_image_8.png

Variable 2

clipboard_image_9.png

Variable 3

clipboard_image_10.png

Variable 4

clipboard_image_11.png

Variable 5

clipboard_image_12.png

===Hash===

Variable 1

clipboard_image_5.png

Variable 2

clipboard_image_6.png

Variable 3

clipboard_image_7.png

Regards

Ajith K S

View solution in original post

zargaran Honored Contributor.
Honored Contributor.

Re: How to extract a specific string from "message" field in ArcSight ESM Console ?

Jump to solution

Dear @Ajith K S 

It`s so useful for all members of this community.

Many thanks for your complete and quick response.

 

BR

Amir

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.