Hi all, I'm trying to create a blacklist for an event after checking 2 different fields on different lines.
I can get them filtered individually, but without an "AND" operator, like OR has "|", I'm struggling.
Sample Event
An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: SYSTEM
Account Name: COMPUTER$
Account Domain: XXXX.NET
Logon ID: 0x6C6C65F09
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {970e0bf8-ccc7-18fd-7be9-d5efe2ab8b22}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
So what I'm trying to do is filter on Logon Type=3 AND Account Name: xxx$
I have tried stuff that works on regex101, etc. And it will work there, but Splunk doesn't seem to recognize it.
(?=.*?(Logon\sType:[\s]*3))(?=.*?(Account\sName:[\s]*.*\$))
Any help is appreciated
Took me a while but figured it out, incase someone shows up here in the future!
source="WinEventLog:Security" EventCode=4624 | regex Message="(?ms)Logon\sType:[\s]*(3).*Account\sName:[\s]*(.*\$)"