Re: REGEX Requred

DanAlexander

Hello Community

I need regex that can return extract the following fields only from event 4702:
1. <EventID></EventID>
2.<TimeCreated SystemTime='2024-12-05T14:59:44.9923272Z'/>

3.<Computer>Host</Computer>

4.<Data Name='TaskName'>\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</Data>

from the following raw event:
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4702</EventID><Version>1</Version><Level>0</Level><Task>12804</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-12-05T14:59:44.9923272Z'/><EventRecordID>2470365</EventRecordID><Correlation ActivityID='{625186de-46eb-0000-1689-5162eb46db01}'/><Execution ProcessID='1408' ThreadID='1600'/><Channel>Security</Channel><Computer>Host</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-20</Data><Data Name='SubjectUserName'> Host $</Data><Data Name='SubjectDomainName'> Host </Data><Data Name='SubjectLogonId'>0x3e4</Data><Data Name='TaskName'>\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</Data><Data Name='TaskContentNew'><?xml version="1.0" encoding="UTF-16"?>
<Task version="1.6" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Source>$(@%systemroot%\system32\sppc.dll,-200)</Source>
<Author>$(@%systemroot%\system32\sppc.dll,-200)</Author>
<Version>1.0</Version>
<Description>$(@%systemroot%\system32\sppc.dll,-201)</Description>
<URI>\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</URI>
<SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)</SecurityDescriptor>
</RegistrationInfo>
<Triggers>
<CalendarTrigger>
<StartBoundary>2024-12-10T07:54:44Z</StartBoundary>
<Enabled>true</Enabled>
<ScheduleByDay>
<DaysInterval>1</DaysInterval>
</ScheduleByDay>
</CalendarTrigger>
</Triggers>
<Principals>
<Principal id="NetworkService">
<UserId>S-1-5-20</UserId>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<AllowHardTerminate>false</AllowHardTerminate>
<StartWhenAvailable>true</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>true</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
<UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
<Priority>7</Priority>
<RestartOnFailure>
<Interval>PT1M</Interval>
<Count>3</Count>
</RestartOnFailure>
</Settings>
<Actions Context="NetworkService">
<ComHandler>
<ClassId>{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}</ClassId>
<Data><![CDATA[timer]]></Data>
</ComHandler>
</Actions>
</Task></Data><Data Name='ClientProcessStartKey'>26177172834095606</Data><Data Name='ClientProcessId'>2408</Data><Data Name='ParentProcessId'>1368</Data><Data Name='RpcCallClientLocality'>0</Data><Data Name='FQDN'>Host</Data></EventData></Event>

I need to be able to validate via | makeresults rex mod=sed.....

Thanks in advance

richgalloway

It would help to know what you've tried already and how those efforts failed to meet expectations.

Are you looking for a single regex or one for each field?

Do you plan to extract the fields at search time or index time? If search time, have you tried using spath to parse the event?

rex mode=sed does not extract fields so it cannot be used to validate expressions.

---
If this reply helps you, Karma would be appreciated.

DanAlexander

Hi @richgalloway, thank you for your reply.

Apologies, I should have been a bit more descriptive.

I am trying to implement a SEDCMD in transforms.conf to reduce a single raw event's size, specifically by removing elements that will never be used while keeping the event intact for compliance purposes.

My intent is not to extract fields but to ensure that only the necessary elements remain in the raw event. A single regex that can clean up the event by removing unused parts while leaving the required fields would be ideal.

Thanks in advance for your guidance!

Best regards,
D Alex

richgalloway

Thanks for clarifying. Try this query.

| rex mode=sed "s:<EventID>4702<\/EventID>|<TimeCreated SystemTime='[^']+'\/>|<Computer>[^<]+<\/Computer>|<Data Name='[^']+'>[^<]+<\/Data>::g"

---
If this reply helps you, Karma would be appreciated.

DanAlexander

Hi @richgalloway

Thanks for your reply.

Apologies, for the delay in replying but I had to test it.

Please see the results here: https://regex101.com/r/7u6vAP/1

Now I need to figure out as I have asked @ITWhisperer how to make both work the | makeresult | rex mode=sed ........ and the props SEDCMD-reducing_4702=? to work strip the event thus reducing its weight in bytes

Thank you

richgalloway

Remove the ':' on the end of the regex and it should work.

You can't get | makeresults and props to work at the same time. makeresults creates synthetic events and props only work on real events.

---
If this reply helps you, Karma would be appreciated.

ITWhisperer

Try something like this

| rex mode=sed "s/(?ms).*(?<ei>\<EventID\>\d+\<\/EventID>).*(?<TimeCreated>\<TimeCreated SystemTime='[^']+'\/>).*(?<Computer>\<Computer\>[^\<]+\<\/Computer\>).*(?<TaskName>\<Data Name='TaskName'\>[^\<]+\<\/Data\>).*/\1\2\3\4/g"

Caveat: XML sometimes has namespace aliases either embedded or used or both which a proper XML parser would understand but these are not shown in your sample and therefore not catered for in the regex

DanAlexander

Hi @ITWhisperer,

Please have a look at https://regex101.com/r/wRe1Ai/1

That works in 101regex web portal, but it does not work under the makeresults and SEDCMD in props.conf

I had to remove the

(?ms).*(?<ei>\

as SEDCMD s/ would not accept it neither <ei> bit.

Can you please work out the exact SEDCMD-reducing_4702=s/........g bit that will be compatible with the SEDCMD?

Also can you try that in Splunk e.g. getting the | makeresult SPL and see if the one SPL you provide would work/remove the unwanted parts from the event?

Thank you.

PickleRick

For the SPL you need to escape all backslashes and quotes. For regex101 it requires you to escape slashes by default (which is not a part of the regex requirement but part of the default PHP PCRE usage syntax). SEDCMD uses raw regex.

REGEX Requred

field extraction

index

indexer

inputs.conf

props.conf

source

sourcetype

transforms.conf

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?