topic Re: REGEX Requred in Getting Data In

REGEX Requred

DanAlexander — Thu, 05 Dec 2024 15:25:03 GMT

Hello Community

I need regex that can return extract the following fields only from event 4702:
1. <EventID></EventID>
2.<TimeCreated SystemTime='2024-12-05T14:59:44.9923272Z'/>

3.<Computer>Host</Computer>

4.<Data Name='TaskName'>\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</Data>

from the following raw event:
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4702</EventID><Version>1</Version><Level>0</Level><Task>12804</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-12-05T14:59:44.9923272Z'/><EventRecordID>2470365</EventRecordID><Correlation ActivityID='{625186de-46eb-0000-1689-5162eb46db01}'/><Execution ProcessID='1408' ThreadID='1600'/><Channel>Security</Channel><Computer>Host</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-20</Data><Data Name='SubjectUserName'> Host $</Data><Data Name='SubjectDomainName'> Host </Data><Data Name='SubjectLogonId'>0x3e4</Data><Data Name='TaskName'>\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</Data><Data Name='TaskContentNew'><?xml version="1.0" encoding="UTF-16"?>
<Task version="1.6" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Source>$(@%systemroot%\system32\sppc.dll,-200)</Source>
<Author>$(@%systemroot%\system32\sppc.dll,-200)</Author>
<Version>1.0</Version>
<Description>$(@%systemroot%\system32\sppc.dll,-201)</Description>
<URI>\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</URI>
<SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)</SecurityDescriptor>
</RegistrationInfo>
<Triggers>
<CalendarTrigger>
<StartBoundary>2024-12-10T07:54:44Z</StartBoundary>
<Enabled>true</Enabled>
<ScheduleByDay>
<DaysInterval>1</DaysInterval>
</ScheduleByDay>
</CalendarTrigger>
</Triggers>
<Principals>
<Principal id="NetworkService">
<UserId>S-1-5-20</UserId>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<AllowHardTerminate>false</AllowHardTerminate>
<StartWhenAvailable>true</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>true</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
<UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
<Priority>7</Priority>
<RestartOnFailure>
<Interval>PT1M</Interval>
<Count>3</Count>
</RestartOnFailure>
</Settings>
<Actions Context="NetworkService">
<ComHandler>
<ClassId>{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}</ClassId>
<Data><![CDATA[timer]]></Data>
</ComHandler>
</Actions>
</Task></Data><Data Name='ClientProcessStartKey'>26177172834095606</Data><Data Name='ClientProcessId'>2408</Data><Data Name='ParentProcessId'>1368</Data><Data Name='RpcCallClientLocality'>0</Data><Data Name='FQDN'>Host</Data></EventData></Event>

I need to be able to validate via | makeresults rex mod=sed.....

Thanks in advance

Re: REGEX Requred

richgalloway — Thu, 05 Dec 2024 15:51:29 GMT

It would help to know what you've tried already and how those efforts failed to meet expectations.

Are you looking for a single regex or one for each field?

Do you plan to extract the fields at search time or index time? If search time, have you tried using spath to parse the event?

rex mode=sed does not extract fields so it cannot be used to validate expressions.

Re: REGEX Requred

DanAlexander — Thu, 05 Dec 2024 16:21:44 GMT

Hi @richgalloway, thank you for your reply.

Apologies, I should have been a bit more descriptive.

I am trying to implement a SEDCMD in transforms.conf to reduce a single raw event's size, specifically by removing elements that will never be used while keeping the event intact for compliance purposes.

My intent is not to extract fields but to ensure that only the necessary elements remain in the raw event. A single regex that can clean up the event by removing unused parts while leaving the required fields would be ideal.

Thanks in advance for your guidance!

Best regards,
D Alex

Re: REGEX Requred

ITWhisperer — Thu, 05 Dec 2024 16:37:00 GMT

Try something like this

| rex mode=sed "s/(?ms).*(?<ei>\<EventID\>\d+\<\/EventID>).*(?<TimeCreated>\<TimeCreated SystemTime='[^']+'\/>).*(?<Computer>\<Computer\>[^\<]+\<\/Computer\>).*(?<TaskName>\<Data Name='TaskName'\>[^\<]+\<\/Data\>).*/\1\2\3\4/g"

Caveat: XML sometimes has namespace aliases either embedded or used or both which a proper XML parser would understand but these are not shown in your sample and therefore not catered for in the regex

Re: REGEX Requred

richgalloway — Thu, 05 Dec 2024 16:46:39 GMT

Thanks for clarifying. Try this query.

| rex mode=sed "s:<EventID>4702<\/EventID>|<TimeCreated SystemTime='[^']+'\/>|<Computer>[^<]+<\/Computer>|<Data Name='[^']+'>[^<]+<\/Data>::g"

Re: REGEX Requred

DanAlexander — Fri, 06 Dec 2024 12:51:24 GMT

Hi @ITWhisperer,

Please have a look at https://regex101.com/r/wRe1Ai/1

That works in 101regex web portal, but it does not work under the makeresults and SEDCMD in props.conf

I had to remove the

(?ms).*(?<ei>\

as SEDCMD s/ would not accept it neither <ei> bit.

Can you please work out the exact SEDCMD-reducing_4702=s/........g bit that will be compatible with the SEDCMD?

Also can you try that in Splunk e.g. getting the | makeresult SPL and see if the one SPL you provide would work/remove the unwanted parts from the event?

Thank you.

Re: REGEX Requred

DanAlexander — Fri, 06 Dec 2024 12:56:16 GMT

Hi @richgalloway

Thanks for your reply.

Apologies, for the delay in replying but I had to test it.

Please see the results here: https://regex101.com/r/7u6vAP/1

Now I need to figure out as I have asked @ITWhisperer how to make both work the | makeresult | rex mode=sed ........ and the props SEDCMD-reducing_4702=? to work strip the event thus reducing its weight in bytes

Thank you

Re: REGEX Requred

richgalloway — Fri, 06 Dec 2024 13:31:35 GMT

Remove the ':' on the end of the regex and it should work.

You can't get | makeresults and props to work at the same time. makeresults creates synthetic events and props only work on real events.

Re: REGEX Requred

PickleRick — Fri, 06 Dec 2024 13:35:10 GMT

For the SPL you need to escape all backslashes and quotes. For regex101 it requires you to escape slashes by default (which is not a part of the regex requirement but part of the default PHP PCRE usage syntax). SEDCMD uses raw regex.