07-02-2021 01:23 AM
Demisto get a syslog message from panorama from threat log.
To clarify my problem, here a simplified syslog output, which Demisto gets in:
1,2,3,"jon,doe",5,6,7 (Example: Mail Subject)
My Problem lies on the syslog incoming Mapper, I would like to cut the syslog message into the right field, (here "Subject")
So, I use as first transformer "Replace match (String)" to get rid of the commas between the "
the only one reasonable regex string I found so far is that one:
But since Demisto uses for "Replace match (String)" those Regex-Implementation (https://github.com/google/re2/wiki/Syntax) the ?= regex is not working (NOT IMPLEMENTED)
Is any one here with a solution regarding those "commas between double quotes"? Maybe there is a way on Panorama to escape those commas with ie "=2C"?
Any help will be apriciated
07-20-2021 10:42 AM
If I understand correctly, you'd like for an input field like '1,2,3,"jon,doe",5,6,7' to be transformed into just 'jon,doe' and XSOAR's implementation of regex does not include the positive look ahead operator.
Perhaps this could do what you're looking for:
Second, use the 'To string' transformer with one double quote for the 'to' value
When its done it should look something like this:
From string (from: ")
To string (to: ")
Hope this helps
08-27-2021 02:43 AM
The solution sounds fine, but Wildfire's syslog has more than one field with "-s in it.
And I would like to use it in a mapper, so there are 78 mappings for each Syslog-Entry. And this is only for Wildfire-Mapping.
is there no easier way?
I think that this is a "normal" syslog behavior, that commas are present in the comments inside of ".
08-27-2021 04:13 AM
Thanks for providing that simplified syslog output in your original post. Could you provide an actual syslog message? Please redact anything sensitive of course.
08-30-2021 02:02 AM
So, here one example:
1,2021/08/26 15:03:56,013201006616,THREAT,wildfire,2305,2021/08/26 15:03:51,184.108.40.206,220.127.116.11,0.0.0.0,0.0.0.0,SMTP-Traffic,,,smtp-base,vsys0,DMZ,EXT,ae2.2,ae1.1,PANORAMA,2021/08/26 15:03:51,1015351,1,58020,25,0,0,0x1102000,tcp,allow,"http://<url>/r/?id=tc08d19,8cb4a0,9b03889&p1=%40kjsI",Email Link(52143),phishing,high,client-to-server,6951421833034849569,0xa000000000000000,<countr>,10.0.0.0-10.255.255.255,0,,0,<sha256>,eu.wildfire.paloaltonetworks.com,0,,email-link,,,<sender-Email>,"Buy It, Mike!",<recipient Email>,5131320962,2060,1816,0,0,DMZ-1,<machinename>,,,,,0,,0,,N/A,unknown,WildFire-0,0x0,0,4294967295,,,<code>,0,
I've replaced some stuff with <> and modified IP's, vlans etc.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!