Solved: Extracting multiple values in a Splunk Search

enymanu · ‎03-10-2020

**Hi All, I need help extracting {0000000-0000-0000-0000-000000000000} and {0000000-0000-0000-0000-000000000000} from the log sample below during search. This is what i have so far:

sourcetype=wineventlog EventCode="4662" Account_Name="\$" Access_Mask=0x100 (Object_Type="%{19195a5b-6da0-11d0-afd3-00c04fd930c9}" OR ObjectT_ype="domainDNS") | rex field=Message "Properties: (?P[^\s]+) {1131f6ad-9c07-11d1-f79f-00c04fc2dcd2} " | rex field=Message "Properties: (?P[^\s]+) {9923a32a-3607-11d2-b9be-0000f87a36b2} " | rex field=Message "Properties: (?P[^\s]+) {1131f6ac-9c07-11d1-f79f-00c04fc2dcd2} "
Please help me fix this search.*

LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4662
EventType=0
Type=Information
ComputerName=gghasfv.net
TaskCategory=Directory Service Access
OpCode=Info
RecordNumber=0000000
Keywords=Audit Success
Message=An operation was performed on an object.

Subject :
Security ID: S-1-5-21-0000000-0000-0000-0000-000000000000
Account Name: NAME$
Account Domain: GOAL
Logon ID: GOAL

Object:
Object Server: DS
Object Type: %{0000000-0000-0000-0000-000000000000}
Object Name: %{0000000-0000-0000-0000-000000000000}
Handle ID:

Operation:
Operation Type: Object Access
Accesses: Control Access

Access Mask:        0x100
Properties:     Control Access
    {0000000-0000-0000-0000-000000000000}
{0000000-0000-0000-0000-000000000000}

Additional Information:
Parameter 1:
Parameter 2

to4kawa · ‎03-11-2020

Reference:

DS-Install-Replica 9923a32a-3607-11d2-b9be-0000f87a36b2 
DS-Replication-Manage-Topology 1131f6ac-9c07-11d1-f79f-00c04fc2dcd2
Schema-Id-Guid 19195a5b-6da0-11d0-afd3-00c04fd930c9

cf. https://www.praetorian.com/blog/active-directory-visualization-for-blue-teams-and-threat-hunters

your search
| rex max_match=0 "[^%](?<guid>{.*})"

try rex max_match . this command exclude Object Type and Object Name

View solution in original post

to4kawa · ‎03-11-2020

Reference:

DS-Install-Replica 9923a32a-3607-11d2-b9be-0000f87a36b2 
DS-Replication-Manage-Topology 1131f6ac-9c07-11d1-f79f-00c04fc2dcd2
Schema-Id-Guid 19195a5b-6da0-11d0-afd3-00c04fd930c9

cf. https://www.praetorian.com/blog/active-directory-visualization-for-blue-teams-and-threat-hunters

your search
| rex max_match=0 "[^%](?<guid>{.*})"

try rex max_match . this command exclude Object Type and Object Name

enymanu · ‎03-11-2020

This is my updated search. It is not filtering the properties.

sourcetype=wineventlog (EventCode="4662" Account_Name="\$" Access_Mask=0x100 (Object_Type="%{19195a5b-6da0-11d0-afd3-00c04fd930c9}" OR Object_Type="domainDNS")) OR (EventCode="4624" session_id!="NT AUTHORITY" Account_Domain!="Window Manager") | rex max_match=0 "^%" | search (guid="{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}" OR guid = "{9923a32a-3607-11d2-b9be-0000f87a36b2}" OR guid = "{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}")

to4kawa · ‎03-11-2020

guid is multivalue. search can't work.

sourcetype=wineventlog  ("{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}" OR "{9923a32a-3607-11d2-b9be-0000f87a36b2}" OR "{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}") (EventCode="4662" OR EventCode="4624")

How is this?
I guess if extra results appear, useNOT
you can do it.

enymanu · ‎03-11-2020

This works fine but it slow. Is there away it can be accelerated

to4kawa · ‎03-12-2020

(EventCode="4662" Account_Name="\$" Access_Mask=0x100 (Object_Type="%{19195a5b-6da0-11d0-afd3-00c04fd930c9}" OR Object_Type="domainDNS")) can use on same way.It will be faster.

codebuilder · ‎03-10-2020

If this is properly structured xml or json just use mvexpand on your multi-value field. You can also pipe that to "search" for a specific value in the MV field.

https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Mvexpand

----
An upvote would be appreciated and Accept Solution if it helps!

Extracting multiple values in a Splunk Search

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor