Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex to pull Account Creator and Account Created from Windows Event

wilcoxj
New Member
‎06-06-2019 10:25 AM

From this Event log, I need to pull the Account Creator and Account Created as two separate tables.

  6/6/19
    9:27:22.000 AM  
    06/06/2019 09:27:22 AM
    LogName=Security
    SourceName=Microsoft Windows security auditing.
    EventCode=4720
    EventType=0
    Type=Information
    ComputerName=CPMASNAAD03.na.cintas.com
    TaskCategory=User Account Management
    OpCode=Info
    RecordNumber=5472484169
    Keywords=Audit Success
    Message=A user account was created.

    Subject:
        Security ID:        "xxxxxxxxx"
        Account Name:       Account Creator
        Account Domain:     xxxxx
        Logon ID:       xxxxxxx

    New Account:
        Security ID:        "xxxxxx"
        Account Name:       Account Created
        Account Domain:     xxxxxxx

    Attributes:
        SAM Account Name:   xxxxxxxx
        Display Name:       User
        User Principal Name:    -
        Home Directory:     -
        Home Drive:     -
        Script Path:        -
        Profile Path:       -
        User Workstations:  -
        Password Last Set:  <never>
        Account Expires:        <never>
        Primary Group ID:   513
        Allowed To Delegate To: -
        Old UAC Value:      0x0
        New UAC Value:      0x11
        User Account Control:   
            Account Disabled
            'Normal Account' - Enabled
        User Parameters:    -
        SID History:        -
        Logon Hours:        <value not set>

    Additional Information:
        Privileges
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dmarling
Builder
‎06-06-2019 12:36 PM

This should grab account creator. Regex101 link: https://regex101.com/r/X2pzRW/1

| rex "Subject:[\r\n]\s+Security ID:[^\n\r]+[\r\n]\s+Account Name:\s+(?<account_creator>[^\n\r]+)"

And this one should get New Account: Regex101 link: https://regex101.com/r/8mU2ZM/1

| rex "New Account:[\r\n]\s+Security ID:[^\r\n]+[\r\n]\s+Account Name:\s+(?<account_created>[^\r\n]+)"

This should also work if you don't mind doing it in three lines instead of two, but only one line is regex. Regex101 link: https://regex101.com/r/NgPIlq/1

| rex max_match=2 "[\r\n]\s+Security ID:[^\r\n]+[\r\n]\s+Account Name:\s+(?<accounts>[^\r\n]+)"
| eval account_creator=mvindex(accounts, 0)
| eval account_created=mvindex(accounts, 1)

 

If this comment/answer was helpful, please up vote it. Thank you.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

dmarling
Builder
‎06-06-2019 12:36 PM

This should grab account creator. Regex101 link: https://regex101.com/r/X2pzRW/1

| rex "Subject:[\r\n]\s+Security ID:[^\n\r]+[\r\n]\s+Account Name:\s+(?<account_creator>[^\n\r]+)"

And this one should get New Account: Regex101 link: https://regex101.com/r/8mU2ZM/1

| rex "New Account:[\r\n]\s+Security ID:[^\r\n]+[\r\n]\s+Account Name:\s+(?<account_created>[^\r\n]+)"

This should also work if you don't mind doing it in three lines instead of two, but only one line is regex. Regex101 link: https://regex101.com/r/NgPIlq/1

| rex max_match=2 "[\r\n]\s+Security ID:[^\r\n]+[\r\n]\s+Account Name:\s+(?<accounts>[^\r\n]+)"
| eval account_creator=mvindex(accounts, 0)
| eval account_created=mvindex(accounts, 1)

 

If this comment/answer was helpful, please up vote it. Thank you.
0 Karma
Reply
Solved! Jump to solution

wilcoxj
New Member
‎06-07-2019 05:49 AM

I was over thinking the process and needing to do a rex. After seeing your post about doing the | eval I could use a value already extracted. There is an Account_Name that has multiple values. so here is what my query looked like and it is working as expected.

index=wineventlog EventCode=4720
| eval account_creator=mvindex(Account_Name, 0)
| eval account_created=mvindex(Account_Name, 1)
| rex "(?ms)New Account:.*Account Domain:\s+(?\w+)$"
| table _time,account_creator,account_created, New_Account_Domain

0 Karma
Reply
Solved! Jump to solution

dmarling
Builder
‎06-07-2019 06:03 AM

Awesome! I'm glad it worked out using the eval on the existing extraction!

If this comment/answer was helpful, please up vote it. Thank you.
0 Karma
Reply
Solved! Jump to solution

wilcoxj
New Member
‎06-06-2019 12:45 PM

I have tried both solution and they both returned empty results.

0 Karma
Reply
Solved! Jump to solution

dmarling
Builder
‎06-06-2019 12:54 PM

Here's a run anywhere example using the data that was provided in the original post and it functions:

| makeresults count=1
| eval _raw="6/6/19
9:27:22.000 AM    
06/06/2019 09:27:22 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4720
EventType=0
Type=Information
ComputerName=CPMASNAAD03.na.cintas.com
TaskCategory=User Account Management
OpCode=Info
RecordNumber=5472484169
Keywords=Audit Success
Message=A user account was created.

Subject:
    Security ID:        \"xxxxxxxxx\"
    Account Name:        Account Creator
    Account Domain:        xxxxx
    Logon ID:        xxxxxxx

New Account:
    Security ID:        \"xxxxxx\"
    Account Name:        Account Created
    Account Domain:        xxxxxxx

Attributes:
    SAM Account Name:    xxxxxxxx
    Display Name:        User
    User Principal Name:    -
    Home Directory:        -
    Home Drive:        -
    Script Path:        -
    Profile Path:        -
    User Workstations:    -
    Password Last Set:    <never>
    Account Expires:        <never>
    Primary Group ID:    513
    Allowed To Delegate To:    -
    Old UAC Value:        0x0
    New UAC Value:        0x11
    User Account Control:    
        Account Disabled
        'Normal Account' - Enabled
    User Parameters:    -
    SID History:        -
    Logon Hours:        <value not set>

Additional Information:
    Privileges"
| rex field=_raw "Subject:\n\s+Security ID:[^\n]+\n\s+Account Name:\s+(?<account_creator>[^\n]+)"
| rex field=_raw "New Account:\n\s+Security ID:[^\n]+\n\s+Account Name:\s+(?<account_created>[^\n]+)"

Those regex101 links also show it working. Can you put your raw event (minus any sensitive information) into regex101 with anything in the regular expression field and click Save Regex and provide the link here?

If this comment/answer was helpful, please up vote it. Thank you.
0 Karma
Reply
Solved! Jump to solution

wilcoxj
New Member
‎06-06-2019 01:02 PM

What I pasted was what I could copy from splunk. It is being ingested from the windows infrastructure app. The windows event log is not ingested with renderxml enabled. IF any of that helps.

0 Karma
Reply
Solved! Jump to solution

wilcoxj
New Member
‎06-06-2019 12:53 PM

What's weird is if I put it into regex101.com it says it should be working.

0 Karma
Reply
Get Updates on the Splunk Community!

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...