Security SPL • Room 3

On-the-fly Extraction

Sometimes malicious indicators are buried inside long, messy payload strings that Splunk hasn't parsed automatically.

You can use the `rex` command (Regular Expression Extraction) to create a new field out of almost anything on the fly during your investigation.

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

You have a field called `raw_payload`. Use `rex` to extract any 4 digits following "PORT=" into a new field called `c2_port`. Example: PORT=4444. Hint: The regex is `PORT=(?<c2_port>\d{4})`

Splunk Search Bar