Within the Cisco Dwell Melbourne SOC, we use a mix of Endace full packet seize (PCAP), Splunk Enterprise Safetyand Splunk SOAR to offer automated detections of cleartext credential leakage. This strategy makes use of an Occasion Based mostly Detection (EBD) in Enterprise Safety, looking over the metadata saved in Splunk by the Endace PCAP system. A part of the strategy is to search for usernames and passwords in a number of cleartext protocols, together with FTP, SMTP, HTTP, and POP3.
One drawback with that is that throughout these protocols, the username and/or password will be saved in a number of schema fields relying on which protocol is in use. We resolve this utilizing the coalesce perform in Splunk’s eval command. The coalece perform will return the primary non-null worth from an inventory of attainable values, similar to the COALESCE perform in SQL. In our case, we use it like so:
Nonetheless, throughout Cisco Dwell we found an issue with this logic. Splunk will deal with a subject that exists, however is empty, as not-null. So for instance, we now have this occasion from our dataset:
On this occasion, the username is an empty string and the mailfrom subject comprises the username. The design of our coalesce was failing us right here by grabbing the empty username as a result of it was technically “” not NULL.
So, what to do? We wish a fast and straightforward technique to clear up the empty strings. One reply is a Splunk macro. Macros allow you to outline snippets of SPL code that may be referred to as by identify anyplace you’d like.
We outlined a number of macros, all named clean_empty_strings. Splunk lets you overload the identify of a macro as long as the variety of arguments is totally different. So we outlined a number of variations of this macro, like clean_empty_strings(), clean_empty_strings(2), clean_empty_strings(3) and so forth all the way in which as much as clean_empty_strings(8). They’re largely similar apart from the variety of arguments. We made as much as 8 as a result of that was what number of fields we would have liked to scrub directly in our detection, simply as a comfort.
The macro definition seems to be like this:
Within the GUI, it seems to be like:
Now within the Detection SPL, we will use it like so:
From right here, we all know that not one of the fields we’re about to coalesce might presumably comprise an empty string worth. The detection is rather more dependable, with out loads of added complexity.
Try the opposite blogs by my colleagues within the Cisco Dwell Melbourne 2026 SOC.
We’d love to listen to what you assume! Ask a query and keep related with Cisco Safety on social media.
Cisco Safety Social Media
