Search the string after base64decoding
I need to search some IOCs after decoding the logs, can someone correct my query?
_sourceCategory=*tanium* | parse "payload=*\"}" as test
| base64Decode(test) as _V | search a string inside the field _V
-
When you say you want to search, do you just want to return messages where the parsed field includes a specific string? If so then you can use a "matches" operation within a "where" statement like below.
_sourceCategory=*tanium*
| parse "payload=*\"}" as test
| base64Decode(test) as _V
| where _V matches "*<string>*"
If you want to further parse a value from the decoded field you can perform additional parsing on the field text using the following format.
| parse field=_V "anchor text * anchor text" as newfield
Please sign in to leave a comment.
Comments
1 comment