Search the string after base64decoding

Follow

Prabakaran Venkatesh

• May 28, 2020 17:12

I need to search some IOCs after decoding the logs, can someone correct my query?

 

_sourceCategory=*tanium* | parse "payload=*\"}" as test
| base64Decode(test) as _V | search a string inside the field _V

0

• 

  Kevin Keech

  • May 28, 2020 17:28

  When you say you want to search, do you just want to return messages where the parsed field includes a specific string? If so then you can use a "matches" operation within a "where" statement like below. 
  
  _sourceCategory=*tanium*
  | parse "payload=*\"}" as test
  | base64Decode(test) as _V
  | where _V matches "*<string>*"
  
  If you want to further parse a value from the decoded field you can perform additional parsing on the field text using the following format. 
  
  | parse field=_V "anchor text * anchor text" as newfield 
  
  
  

  0

  Comment actions Permalink

Please sign in to leave a comment.