Question on parsing by regular expression in Pattern Designer

Tate Roth · ‎09-05-2018

I am working on discovering all certs on Windows servers (Linux to come) to check for any expiring within X amount of days. I received the suggestion to try using the pattern designer as I was having issues using Probes and Sensors. I added a step to the Windows OS - Servers discovery pattern with the operation of Parse Command Output. I have a powershell command that returns all the info I want, but it's kinda messy. I'm trying to use a regular expression to parse the output but am having some difficulty. On the docs site, it states that since there is only one Regular Expression field, you simply combine the expressions by wrapping each in parenthesis, the order of which needs to correspond with the order of the variable you have created and they will link up. The issue I am having is I get an error whenever I try to do that. To keep it simple I'm starting with 2 variables as shown below.

Here you can see my two expressions wrapped and following each other. If I click on Test I get the message "Operation executed with no change to the debug session (Note: This could be due to the operation returning empty results or failed precondition)"

Someone suggested I use an * between them in this manner ((?<=Thumbprint : )(?s)(.*$))*((?<=FriendlyName : )(?s)(.*$)). Then I get the message "Failed to parse content due to the following error: INVALID_REGEX length: 2".

So I tried to wrap all of that in parenthesis(((?<=Thumbprint : )(?s)(.*$))*((?<=FriendlyName : )(?s)(.*$))) at which point it highlights only the information behind FriendlyName as if it was the first variable on the output section but when I click on Test, I get the same error "Failed to parse content due to the following error: INVALID_REGEX length: 2".

Does anyone know if there is some other character or do I need some other operator to make this work?

robertgeen · ‎09-05-2018

I know this may be difficult to do but can you provide a sample output you are trying to parse? It will probably help with troubleshooting this.

Tate Roth · ‎09-05-2018

I'm happy to. Here is a bit of the Output (for structure, the data was obviously replaced).

Location   : CurrentUser
StoreNames : {SmartCardRoot, Root, Trust, AuthRoot...}

Name : SmartCardRoot

Name : Root

Subject      : XXXXXXXX
Issuer       : XXXXXXXX
Thumbprint   : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
FriendlyName : XXXXXXXXXXXXXXXXXXXXXXXXXXX
NotBefore    : 5/9/2001 6:19:22 PM
NotAfter     : 5/9/2021 6:28:13 PM
Extensions   : {Stuff}

Subject      : YYYYYYYY
Issuer       : YYYYYYYY
Thumbprint   : YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
FriendlyName : YYYYYYYYYYYYYYYYYYYYYYYYYYY
NotBefore    : 12/31/1996 6:00:00 PM
NotAfter     : 12/31/2020 5:59:59 PM
Extensions   : {More Stuff}

robertgeen · ‎09-06-2018

Sorry I missed the notification for your response. So your first problem is that Patterns don't use the /g flag for matching so you won't be able to match across multiple lines (I know it's a pain in the butt). In this case what I would do is I would do a regular expression to match the first word and second word. Something like (.*?)\s*:\s*(.*). Then your next step you could filter the table you put that out into where the name side = thumbprint and the name side equals friendlyname (basically put the name value pair into their own variables). You can then set them to whatever you want from there.

You could also do this with a delimited strategy where you only include lines containing Thumbprint|FriendlyName and then split on :. You might get some extra spaces though that you will have to deal with.

Either way this should get you where you need to go. Make sense?

Tate Roth · ‎09-06-2018

I will look into your suggestion on the regular expression (I'm still figuring those out).

I began with trying to parse by delimited text, but when I filtered on lines only containing the fields I wanted and selected : as the delimiter and position 2 I ended up with everything under the same variable.