How to prevent regex from matching till end of event? Extracting Group names from EventCode 4627

att35 — Thu, 05 Sep 2024 17:12:41 GMT

Need some help in extracting Group Membership details from Windows Event Code 4627.

As explained in this answer,

https://community.splunk.com/t5/Splunk-Search/Regex-not-working-as-expected/m-p/470417

following seems to be working to extract Group_name, but capture doesn't stop once the group list ends. Instead, it continues to match everything till end of line. I experimented with (?ms) and (?m) but didnt have any succes.

"(?ms)(?:^Group Membership:\t\t\t|\G(?!^))\r?\n[\t ]*(?:[^\\\r\n]*\\\)*(?<Group_name>(.+))"

09/04/2024 11:59:59 PM LogName=Security EventCode=4627 EventType=0 ComputerName=DCServer.domain.x.y SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=64222222324 Keywords=Audit Success TaskCategory=Group Membership OpCode=Info Message=Group membership information. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: DCServer$ Account Domain: Domain Logon ID: 0x1111 Logon Type: 3 New Logon: Security ID: Domain\Account Account Name: Account Account Domain: Domain Logon ID: 0x5023236 Event in sequence: 1 of 1 Group Membership: Domain\Group1 Group2 BUILTIN\Group3 BUILTIN\Group4 BUILTIN\Group5 BUILTIN\Group6 NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users Domain\Group7 The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. This event is generated when the Audit Group Membership subcategory is configured. The Logon ID field can be used to correlate this event with the corresponding user logon event as well as to any other security audit events generated during this logon session.

When I use this regex, it does capture starting from the Group list but continues on till the end of event.

How can I tell regex to stop matching once the group list ends? Also, this regex seems to be putting all groups as a single match. Is it possible to make it multi-valued, so that we can count total number of groups present in a given event, e.g. 9 groups in the event example above.

Thanks,

~Abhi

Re: How to prevent regex from matching till end of event? Extracting Group names from EventCode 4627

ITWhisperer — Thu, 05 Sep 2024 18:17:59 GMT

| rex max_match=0 "(?m)^\t\t+(?<Group_name>.+)$"

Re: How to prevent regex from matching till end of event? Extracting Group names from EventCode 4627

att35 — Fri, 06 Sep 2024 02:56:26 GMT

Thanks @ITWhisperer

That worked perfectly.

topic Re: How to prevent regex from matching till end of event? Extracting Group names from EventCode 4627 in Splunk Search

How to prevent regex from matching till end of event? Extracting Group names from EventCode 4627

Re: How to prevent regex from matching till end of event? Extracting Group names from EventCode 4627

Re: How to prevent regex from matching till end of event? Extracting Group names from EventCode 4627