Re: Need help with regex

rahul7514 · 10-17-2024 12:59 AM

Hi Team
I am trying to build a query which uses office 365 and crowdstrike together

My event section looks like this

events:

$event.metadata.vendor_name = "Crowdstrike" nocase

$event.metadata.product_name = "Falcon"

$event.metadata.log_type = "CS_DETECTS"

$user = $event.principal.user.user_display_name

$email.metadata.product_name = "Office 365"

$email.metadata.event_type = "EMAIL_TRANSACTION"

$email.metadata.product_event_type = "TIMailData"

$email.about.labels["DeliveryAction"] = "Delivered"

$email.security_result.category = "MAIL_PHISHING"

$email.network.email.to =

assistance i want here is in the email address i wish to remove the domain part and just capture the user
For example from this email id abcd.xyz@google.com i want to capture just abcd.xyz
Can some one help me with this

jstoner

I could try to write a regex expression and it might work but I just wrote a blog on extracting host/domain names and a few others on substrings so using some of those tools, I came up with this and figured I would share it as a way that might work without having to use regex.

I built it in the form of a search but I think those variables I wrote in the outcome section could easily go into your events section since they are just string manipulations.

metadata.product_name = "Office 365" AND principal.user.userid != "" and strings.contains(principal.user.userid,"@")
outcome:
 $original_id = principal.user.userid
 $extract_hostname = strings.extract_hostname(principal.user.userid)
 $length_of_hostname_plus_at = strings.length(strings.extract_hostname(principal.user.userid)) +1
 $substring_of_length_minus_hostname = strings.substr(principal.user.userid, 1, strings.length(principal.user.userid) - (strings.length(strings.extract_hostname(principal.user.userid)) +1))

That said depending if the we are dealing with repeated fields, that can introduce a little more complexity, however, we could work with that with array_distinct.

metadata.product_name = "Office 365" AND principal.user.email_addresses != "" and strings.contains(principal.user.email_addresses,"@")
$original_id = principal.user.email_addresses
match:
 $original_id
outcome:
 $extract_hostname = array_distinct(strings.extract_hostname(principal.user.email_addresses))
 $length_of_hostname_plus_at = array_distinct(strings.length(strings.extract_hostname(principal.user.email_addresses)) +1)
 $substring_of_length_minus_hostname = array_distinct(strings.substr(principal.user.email_addresses, 1, strings.length(principal.user.email_addresses) - (strings.length(strings.extract_hostname(principal.user.email_addresses)) +1)))

Based on what you provided in the events section, I think (haven't tested since I don't have the same data sets) that the last line is what you need to make this work

$event.metadata.vendor_name = "Crowdstrike" nocase
$event.metadata.product_name = "Falcon"
$event.metadata.log_type = "CS_DETECTS"
$user = $event.principal.user.user_display_name 
$email.metadata.product_name = "Office 365"
$email.metadata.event_type = "EMAIL_TRANSACTION"
$email.metadata.product_event_type = "TIMailData"
$email.about.labels [ "DeliveryAction" ] = "Delivered"
$email.security_result.category = "MAIL_PHISHING"
$user = strings.substr($email.network.email.to, 1, strings.length($email.network.email.to) - (strings.length(strings.extract_hostname($email.network.email.to)) +1))

Extract Domain/Hostnames: https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Domain-and-Hostname-Extr...

Strings.contains and strings.substr: https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-What-s-in-a-String/ba-p/...

Check out the new Professional Security Operations Engineer certification beta!

Need help with regex