Getting Data In
Highlighted

Regex to pull Account Creator and Account Created from Windows Event

New Member

From this Event log, I need to pull the Account Creator and Account Created as two separate tables.

  6/6/19
    9:27:22.000 AM  
    06/06/2019 09:27:22 AM
    LogName=Security
    SourceName=Microsoft Windows security auditing.
    EventCode=4720
    EventType=0
    Type=Information
    ComputerName=CPMASNAAD03.na.cintas.com
    TaskCategory=User Account Management
    OpCode=Info
    RecordNumber=5472484169
    Keywords=Audit Success
    Message=A user account was created.

    Subject:
        Security ID:        "xxxxxxxxx"
        Account Name:       Account Creator
        Account Domain:     xxxxx
        Logon ID:       xxxxxxx

    New Account:
        Security ID:        "xxxxxx"
        Account Name:       Account Created
        Account Domain:     xxxxxxx

    Attributes:
        SAM Account Name:   xxxxxxxx
        Display Name:       User
        User Principal Name:    -
        Home Directory:     -
        Home Drive:     -
        Script Path:        -
        Profile Path:       -
        User Workstations:  -
        Password Last Set:  <never>
        Account Expires:        <never>
        Primary Group ID:   513
        Allowed To Delegate To: -
        Old UAC Value:      0x0
        New UAC Value:      0x11
        User Account Control:   
            Account Disabled
            'Normal Account' - Enabled
        User Parameters:    -
        SID History:        -
        Logon Hours:        <value not set>

    Additional Information:
        Privileges
0 Karma
Highlighted

Re: Regex to pull Account Creator and Account Created from Windows Event

Builder

This should grab account creator. Regex101 link: https://regex101.com/r/X2pzRW/1

| rex "Subject:\n\s+Security ID:[^\n]+\n\s+Account Name:\s+(?<account_creator>[^\n]+)"

And this one should get New Account: Regex101 link: https://regex101.com/r/8mU2ZM/1

| rex "New Account:\n\s+Security ID:[^\n]+\n\s+Account Name:\s+(?<account_created>[^\n]+)"

This should also work if you don't mind doing it in three lines instead of two, but only one line is regex. Regex101 link: https://regex101.com/r/NgPIlq/1

| rex max_match=2 "\n\s+Security ID:[^\n]+\n\s+Account Name:\s+(?<accounts>[^\n]+)"
| eval account_creator=mvindex(accounts, 0)
| eval account_created=mvindex(accounts, 1)
If this comment/answer was helpful, please up vote it. Thank you.

View solution in original post

0 Karma
Highlighted

Re: Regex to pull Account Creator and Account Created from Windows Event

New Member

I have tried both solution and they both returned empty results.

0 Karma
Highlighted

Re: Regex to pull Account Creator and Account Created from Windows Event

New Member

What's weird is if I put it into regex101.com it says it should be working.

0 Karma
Highlighted

Re: Regex to pull Account Creator and Account Created from Windows Event

Builder

Here's a run anywhere example using the data that was provided in the original post and it functions:

| makeresults count=1
| eval _raw="6/6/19
9:27:22.000 AM    
06/06/2019 09:27:22 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4720
EventType=0
Type=Information
ComputerName=CPMASNAAD03.na.cintas.com
TaskCategory=User Account Management
OpCode=Info
RecordNumber=5472484169
Keywords=Audit Success
Message=A user account was created.

Subject:
    Security ID:        \"xxxxxxxxx\"
    Account Name:        Account Creator
    Account Domain:        xxxxx
    Logon ID:        xxxxxxx

New Account:
    Security ID:        \"xxxxxx\"
    Account Name:        Account Created
    Account Domain:        xxxxxxx

Attributes:
    SAM Account Name:    xxxxxxxx
    Display Name:        User
    User Principal Name:    -
    Home Directory:        -
    Home Drive:        -
    Script Path:        -
    Profile Path:        -
    User Workstations:    -
    Password Last Set:    <never>
    Account Expires:        <never>
    Primary Group ID:    513
    Allowed To Delegate To:    -
    Old UAC Value:        0x0
    New UAC Value:        0x11
    User Account Control:    
        Account Disabled
        'Normal Account' - Enabled
    User Parameters:    -
    SID History:        -
    Logon Hours:        <value not set>

Additional Information:
    Privileges"
| rex field=_raw "Subject:\n\s+Security ID:[^\n]+\n\s+Account Name:\s+(?<account_creator>[^\n]+)"
| rex field=_raw "New Account:\n\s+Security ID:[^\n]+\n\s+Account Name:\s+(?<account_created>[^\n]+)"

Those regex101 links also show it working. Can you put your raw event (minus any sensitive information) into regex101 with anything in the regular expression field and click Save Regex and provide the link here?

If this comment/answer was helpful, please up vote it. Thank you.
0 Karma
Highlighted

Re: Regex to pull Account Creator and Account Created from Windows Event

New Member

What I pasted was what I could copy from splunk. It is being ingested from the windows infrastructure app. The windows event log is not ingested with renderxml enabled. IF any of that helps.

0 Karma
Highlighted

Re: Regex to pull Account Creator and Account Created from Windows Event

New Member

I was over thinking the process and needing to do a rex. After seeing your post about doing the | eval I could use a value already extracted. There is an Account_Name that has multiple values. so here is what my query looked like and it is working as expected.

index=wineventlog EventCode=4720
| eval accountcreator=mvindex(AccountName, 0)
| eval accountcreated=mvindex(AccountName, 1)
| rex "(?ms)New Account:.*Account Domain:\s+(?\w+)$"
| table time,accountcreator,accountcreated, NewAccount_Domain

0 Karma
Highlighted

Re: Regex to pull Account Creator and Account Created from Windows Event

Builder

Awesome! I'm glad it worked out using the eval on the existing extraction!

If this comment/answer was helpful, please up vote it. Thank you.
0 Karma