topic Re: Search Using Regular Expression is Case-Sensitive in Splunk Search

Search Using Regular Expression is Case-Sensitive

adamfiore — Tue, 29 Sep 2020 20:50:39 GMT

I'm using a regular expression to locate a certain field in a particular event and then return results where the contents of that field are "like" a certain string. However, what I'm finding is that the "like" operator is matching based on case. Similarly, when I switch the query to match the string exactly (i.e., using "="), this too is case-sensitive.

The example below returns the desired result. However, if I make the following change, no result is returned:

where (like (Login_Security_ID,"%UserName%"))
--to--
where (like (Login_Security_ID,"%username%"))

Any idea on how I can make this case INsensitive? Thanks for the help.

Search Being Run

EventCode=4688
| rex "(?ms)Security ID:..(?<Login_Security_ID>[DOMAIN]+.\w+.\w+)"
| rex "(?ms)New Process Name:..(?<New_Process_Name>.\S*)"
| where New_Process_Name=":\Windows\System32\mmc.exe"
| where (like (Login_Security_ID,"%UserName%")) 
| eval attemptoutcome = keywords

Event Attempting to Return

08/10/2018 10:37:47 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=server.DOMAIN.com
TaskCategory=Process Creation
OpCode=Info
RecordNumber=6646657
Keywords=Audit Success
Message=A new process has been created.

Subject:
    Security ID:        DOMAIN\srvcUserName
    Account Name:       srvcUserName
    Account Domain:     DOMAIN
    Logon ID:       0xd3245f55

Process Information:
    New Process ID:     0x9b4
    New Process Name:   C:\Windows\System32\mmc.exe
    Token Elevation Type:   TokenElevationTypeLimited (3)
    Creator Process ID: 0xf48
    Process Command Line:

Re: Search Using Regular Expression is Case-Sensitive

anthonymelita — Tue, 29 Sep 2020 20:50:44 GMT

Replace the two where statements with a subsearch.

| search New_Process_Name="C:\Windows\System32\mmc.exe" AND Login_Security_ID = username

Re: Search Using Regular Expression is Case-Sensitive

niketn — Fri, 10 Aug 2018 17:25:03 GMT

@adamfiore, for case insensitive match please use match() function with (?i) parameter:

| where match(New_Process_Name,"(?i)\\\windows\\\system32\\\mmc.exe") AND match(Login_Security_ID,"(?i)username")

Following is a run anywhere example based on your sample data:

| makeresults 
| eval _raw=" 08/10/2018 10:37:47 AM
 LogName=Security
 SourceName=Microsoft Windows security auditing.
 EventCode=4688
 EventType=0
 Type=Information
 ComputerName=server.DOMAIN.com
 TaskCategory=Process Creation
 OpCode=Info
 RecordNumber=6646657
 Keywords=Audit Success
 Message=A new process has been created.

 Subject:
     Security ID:        DOMAIN\srvcUserName
     Account Name:        srvcUserName
     Account Domain:        DOMAIN
     Logon ID:        0xd3245f55

 Process Information:
     New Process ID:        0x9b4
     New Process Name:    C:\Windows\System32\mmc.exe
     Token Elevation Type:    TokenElevationTypeLimited (3)
     Creator Process ID:    0xf48
     Process Command Line:" 
| rex "Security ID:\s+(?<Login_Security_ID>[^\s]+)\s"
| rex "New Process Name:\s+(?<New_Process_Name>[^\s]+)\s"
| where match(New_Process_Name,"(?i)\\\windows\\\system32\\\mmc.exe") AND match(Login_Security_ID,"(?i)username")

Re: Search Using Regular Expression is Case-Sensitive

adamfiore — Tue, 29 Sep 2020 20:51:40 GMT

@anthonymelita Thanks for the reply, but I'm afraid this didn't work. In fact, I couldn't get the sub-search to work even when I matched the case of the username in the search query exactly as it's showing up in the event, as seen below:

| search New_Process_Name="C:\Windows\System32\mmc.exe" AND Login_Security_ID = DOMAIN\srvcUserName

Re: Search Using Regular Expression is Case-Sensitive

adamfiore — Tue, 29 Sep 2020 20:51:43 GMT

@ niketnilay Thanks for the reply. Same as above though, this didn't work for me. I also tried using (?i) with the like function, as well as matching the case of the username exactly as it's appearing in the event, but even that failed to return a result. Here are a few of the variations I tried:

| where match (Login_Security_ID,"(?i)domain\srvcusername")
| where match (Login_Security_ID,"(?i)DOMAIN\srvcUserName")
| where like (Login_Security_ID,"(?i)domain\srvcusername")
| where match (Login_Security_ID,"(?i)DOMAIN\srvcUserName")
| where like (Login_Security_ID,"(?i)%username")

Re: Search Using Regular Expression is Case-Sensitive

chanfoli — Tue, 29 Sep 2020 20:51:46 GMT

Hello, I think you need to escape that backslash as follows:
where match (Login_Security_ID,"(?i)DOMAIN\\srvcUserName")

Re: Search Using Regular Expression is Case-Sensitive

adamfiore — Tue, 29 Sep 2020 20:51:51 GMT

Thanks @chanfoli, that worked. Assuming I can't use the "%" wildcard with "match", like this:

| where match (Login_Security_ID,"(?i)%srvcusername")

Re: Search Using Regular Expression is Case-Sensitive

niketn — Tue, 14 Aug 2018 15:41:35 GMT

@adamfiore two things need to be changed...

1) use \\ to escape each \ in the path as stated in my answer.
2) Use AND to join multiple match conditions together as stated in my answer instead of using separate pipes.