Within the Cisco Dwell Melbourne SOC, we use a mixture of Endace full packet seize (PCAP), Splunk Enterprise Safety, and Splunk SOAR to offer automated detections of cleartext credential leakage. This strategy makes use of an Occasion Primarily based Detection (EBD) in Enterprise Safety, looking over the metadata saved in Splunk by the Endace PCAP system. A part of the strategy is to search for usernames and passwords in a number of cleartext protocols, together with FTP, SMTP, HTTP, and POP3.
One downside with that is that throughout these protocols, the username and/or password may be saved in a number of schema fields relying on which protocol is in use. We resolve this utilizing the coalesce operate in Splunk’s eval command. The coalece operate will return the primary non-null worth from an inventory of doable values, identical to the COALESCE operate in SQL. In our case, we use it like so:
Nonetheless, throughout Cisco Dwell we found an issue with this logic. Splunk will deal with a subject that exists, however is empty, as not-null. So for example, we’ve got this occasion from our dataset:
On this occasion, the username is an empty string and the mailfrom subject incorporates the username. The design of our coalesce was failing us right here by grabbing the empty username as a result of it was technically “” not NULL.
So, what to do? We would like a fast and straightforward technique to clear up the empty strings. One reply is a Splunk macro. Macros allow you to outline snippets of SPL code that may be referred to as by title wherever you’d like.
We outlined a number of macros, all named clean_empty_strings. Splunk lets you overload the title of a macro as long as the variety of arguments is completely different. So we outlined a number of variations of this macro, like clean_empty_strings(), clean_empty_strings(2), clean_empty_strings(3) and so forth all the best way as much as clean_empty_strings(8). They’re principally equivalent apart from the variety of arguments. We made as much as 8 as a result of that was what number of fields we wanted to scrub without delay in our detection, simply as a comfort.
The macro definition seems to be like this:
Within the GUI, it seems to be like:
Now within the Detection SPL, we will use it like so:
From right here, we all know that not one of the fields we’re about to coalesce may probably include an empty string worth. The detection is way more dependable, with out loads of added complexity.
Take a look at the opposite blogs by my colleagues within the Cisco Dwell Melbourne 2026 SOC.
We’d love to listen to what you suppose! Ask a query and keep related with Cisco Safety on social media.
Cisco Safety Social Media
