tag:blogger.com,1999:blog-7303400454979750101.post6540397538790526972..comments2024-03-28T06:49:56.390-07:00Comments on Learning by practicing: QRadar - Extracting fields from WebSense eventsNik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttp://www.blogger.com/profile/10282323977269843041noreply@blogger.comBlogger10125tag:blogger.com,1999:blog-7303400454979750101.post-15082682025518730432017-06-20T08:58:28.960-07:002017-06-20T08:58:28.960-07:00If you haven't as yet, I suggest you open a ti...If you haven't as yet, I suggest you open a ticket with IBM to see what's going on. Nik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttps://www.blogger.com/profile/10282323977269843041noreply@blogger.comtag:blogger.com,1999:blog-7303400454979750101.post-77585505495073536742017-06-19T23:03:28.502-07:002017-06-19T23:03:28.502-07:00yes 7.2yes 7.2Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7303400454979750101.post-27708897639694845922017-06-19T05:46:08.044-07:002017-06-19T05:46:08.044-07:00Are you using the latest version of the WinCollect...Are you using the latest version of the WinCollect software?Nik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttps://www.blogger.com/profile/10282323977269843041noreply@blogger.comtag:blogger.com,1999:blog-7303400454979750101.post-3790435068108191552017-06-18T23:22:44.914-07:002017-06-18T23:22:44.914-07:00In my case,my wincollect Payload gets truncated at...In my case,my wincollect Payload gets truncated at qradar side.How to solve this?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7303400454979750101.post-14164254245645176472017-06-15T05:14:28.759-07:002017-06-15T05:14:28.759-07:00Send me a few sanitize sample logs, maybe about 10...Send me a few sanitize sample logs, maybe about 10 entries in a file and I will put together a quick post on parsing SYSMON. Send them to my email nikalleyne at gmail dot com.Nik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttps://www.blogger.com/profile/10282323977269843041noreply@blogger.comtag:blogger.com,1999:blog-7303400454979750101.post-41756483448751500332017-06-14T22:42:22.665-07:002017-06-14T22:42:22.665-07:00Created uDSM for it,it actually receives logs,need...Created uDSM for it,it actually receives logs,need RegEx to extract usefule fields,like for ProcessGuid i have used \sLogonGuid:\s(.*?)\s\w+:<br /><br />payload contains: LogonGuid: {8CD23D7C-B703-5922-0000-0020E7030000} LogonId: 0x3e7 <br /><br />Like this what are imp fields to extract that i don't understandAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-7303400454979750101.post-63002181011011597622017-06-14T18:43:52.459-07:002017-06-14T18:43:52.459-07:00Glad you found it helpful. However, for sysmon you...Glad you found it helpful. However, for sysmon you will at least need to develop a UDSM as I don't think there is any DSM for this.<br /><br />Take a look at my post on building your first UDSM. This should help you.Nik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttps://www.blogger.com/profile/10282323977269843041noreply@blogger.comtag:blogger.com,1999:blog-7303400454979750101.post-16918723312133295202017-06-14T07:31:58.792-07:002017-06-14T07:31:58.792-07:00Thanks it helps a lot. I need to extract fields fr...Thanks it helps a lot. I need to extract fields from sysmon logs. Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7303400454979750101.post-46597719708957324422016-01-14T07:23:59.707-08:002016-01-14T07:23:59.707-08:00Thanks for the update! Very much appreciated!!Thanks for the update! Very much appreciated!!Nik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttps://www.blogger.com/profile/10282323977269843041noreply@blogger.comtag:blogger.com,1999:blog-7303400454979750101.post-50001814217617615892016-01-14T07:11:08.575-08:002016-01-14T07:11:08.575-08:00copy and past error for disposition field.
Should...copy and past error for disposition field.<br /><br />Should be:<br />Regex: (\sdisposition=)([a-zA-Z]*)(\s) - Capture Group: 2Anonymousnoreply@blogger.com