Getting Data In

Regex to pull Account Creator and Account Created from Windows Event

wilcoxj
New Member

From this Event log, I need to pull the Account Creator and Account Created as two separate tables.

  6/6/19
    9:27:22.000 AM  
    06/06/2019 09:27:22 AM
    LogName=Security
    SourceName=Microsoft Windows security auditing.
    EventCode=4720
    EventType=0
    Type=Information
    ComputerName=CPMASNAAD03.na.cintas.com
    TaskCategory=User Account Management
    OpCode=Info
    RecordNumber=5472484169
    Keywords=Audit Success
    Message=A user account was created.

    Subject:
        Security ID:        "xxxxxxxxx"
        Account Name:       Account Creator
        Account Domain:     xxxxx
        Logon ID:       xxxxxxx

    New Account:
        Security ID:        "xxxxxx"
        Account Name:       Account Created
        Account Domain:     xxxxxxx

    Attributes:
        SAM Account Name:   xxxxxxxx
        Display Name:       User
        User Principal Name:    -
        Home Directory:     -
        Home Drive:     -
        Script Path:        -
        Profile Path:       -
        User Workstations:  -
        Password Last Set:  <never>
        Account Expires:        <never>
        Primary Group ID:   513
        Allowed To Delegate To: -
        Old UAC Value:      0x0
        New UAC Value:      0x11
        User Account Control:   
            Account Disabled
            'Normal Account' - Enabled
        User Parameters:    -
        SID History:        -
        Logon Hours:        <value not set>

    Additional Information:
        Privileges
0 Karma
1 Solution

dmarling
Builder

This should grab account creator. Regex101 link: https://regex101.com/r/X2pzRW/1

| rex "Subject:[\r\n]\s+Security ID:[^\n\r]+[\r\n]\s+Account Name:\s+(?<account_creator>[^\n\r]+)"

And this one should get New Account: Regex101 link: https://regex101.com/r/8mU2ZM/1

| rex "New Account:[\r\n]\s+Security ID:[^\r\n]+[\r\n]\s+Account Name:\s+(?<account_created>[^\r\n]+)"

This should also work if you don't mind doing it in three lines instead of two, but only one line is regex. Regex101 link: https://regex101.com/r/NgPIlq/1

| rex max_match=2 "[\r\n]\s+Security ID:[^\r\n]+[\r\n]\s+Account Name:\s+(?<accounts>[^\r\n]+)"
| eval account_creator=mvindex(accounts, 0)
| eval account_created=mvindex(accounts, 1)

 

If this comment/answer was helpful, please up vote it. Thank you.

View solution in original post

0 Karma

dmarling
Builder

This should grab account creator. Regex101 link: https://regex101.com/r/X2pzRW/1

| rex "Subject:[\r\n]\s+Security ID:[^\n\r]+[\r\n]\s+Account Name:\s+(?<account_creator>[^\n\r]+)"

And this one should get New Account: Regex101 link: https://regex101.com/r/8mU2ZM/1

| rex "New Account:[\r\n]\s+Security ID:[^\r\n]+[\r\n]\s+Account Name:\s+(?<account_created>[^\r\n]+)"

This should also work if you don't mind doing it in three lines instead of two, but only one line is regex. Regex101 link: https://regex101.com/r/NgPIlq/1

| rex max_match=2 "[\r\n]\s+Security ID:[^\r\n]+[\r\n]\s+Account Name:\s+(?<accounts>[^\r\n]+)"
| eval account_creator=mvindex(accounts, 0)
| eval account_created=mvindex(accounts, 1)

 

If this comment/answer was helpful, please up vote it. Thank you.
0 Karma

wilcoxj
New Member

I was over thinking the process and needing to do a rex. After seeing your post about doing the | eval I could use a value already extracted. There is an Account_Name that has multiple values. so here is what my query looked like and it is working as expected.

index=wineventlog EventCode=4720
| eval account_creator=mvindex(Account_Name, 0)
| eval account_created=mvindex(Account_Name, 1)
| rex "(?ms)New Account:.*Account Domain:\s+(?\w+)$"
| table _time,account_creator,account_created, New_Account_Domain

0 Karma

dmarling
Builder

Awesome! I'm glad it worked out using the eval on the existing extraction!

If this comment/answer was helpful, please up vote it. Thank you.
0 Karma

wilcoxj
New Member

I have tried both solution and they both returned empty results.

0 Karma

dmarling
Builder

Here's a run anywhere example using the data that was provided in the original post and it functions:

| makeresults count=1
| eval _raw="6/6/19
9:27:22.000 AM    
06/06/2019 09:27:22 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4720
EventType=0
Type=Information
ComputerName=CPMASNAAD03.na.cintas.com
TaskCategory=User Account Management
OpCode=Info
RecordNumber=5472484169
Keywords=Audit Success
Message=A user account was created.

Subject:
    Security ID:        \"xxxxxxxxx\"
    Account Name:        Account Creator
    Account Domain:        xxxxx
    Logon ID:        xxxxxxx

New Account:
    Security ID:        \"xxxxxx\"
    Account Name:        Account Created
    Account Domain:        xxxxxxx

Attributes:
    SAM Account Name:    xxxxxxxx
    Display Name:        User
    User Principal Name:    -
    Home Directory:        -
    Home Drive:        -
    Script Path:        -
    Profile Path:        -
    User Workstations:    -
    Password Last Set:    <never>
    Account Expires:        <never>
    Primary Group ID:    513
    Allowed To Delegate To:    -
    Old UAC Value:        0x0
    New UAC Value:        0x11
    User Account Control:    
        Account Disabled
        'Normal Account' - Enabled
    User Parameters:    -
    SID History:        -
    Logon Hours:        <value not set>

Additional Information:
    Privileges"
| rex field=_raw "Subject:\n\s+Security ID:[^\n]+\n\s+Account Name:\s+(?<account_creator>[^\n]+)"
| rex field=_raw "New Account:\n\s+Security ID:[^\n]+\n\s+Account Name:\s+(?<account_created>[^\n]+)"

Those regex101 links also show it working. Can you put your raw event (minus any sensitive information) into regex101 with anything in the regular expression field and click Save Regex and provide the link here?

If this comment/answer was helpful, please up vote it. Thank you.
0 Karma

wilcoxj
New Member

What I pasted was what I could copy from splunk. It is being ingested from the windows infrastructure app. The windows event log is not ingested with renderxml enabled. IF any of that helps.

0 Karma

wilcoxj
New Member

What's weird is if I put it into regex101.com it says it should be working.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...