Splunk Search

EventCode 4672 extraction prob?

ndcl
Path Finder

Hi,

did anyone also figure out that the 4672 Windows Event is not completly extracted by splunk?

4672 is a importent Event because it shows the previlegs of a logon account. It´s raw looks like this:

Special privileges assigned to new logon.

Subject:

Security ID: WIN-R9H529RIO4Y\Administrator
Account Name: Administrator
Account Domain: WIN-R9H529RIO4Y
Logon ID: 0x4b842

Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege

Ok, hard to format here, but the section Privileges has a tabstop in every row. What happend if you do a stats list on the Privileges Field is that it only shows the first row: SeSecurityPrivilege. If you use mvindex(Privileges,0) every index bigger than 0 is empty. This means to me that only the first row was extracted and the rest is skipped... To bad because this are some very valuable information.
Can someone confirm this?

0 Karma
1 Solution

ndcl
Path Finder

OK,
based on Giuseppes Regex, there is this possible solution to get the lost fields reportable. There are of cause much more ways but I choosed this one. Adding an extraction and calculated fields to the props.conf.

EXTRACT-467_en = Privileges:\s(?<Privilege>[^ ]*) in _raw

EVAL-SeNetworkLogonRight= if(match(Privilege,".+SeNetworkLogonRight"),"Access this Computer from the Network","X")
EVAL-SeBatchLogonRight= if(match(Privilege,".+SeBatchLogonRight"),"Log on as a batch job","X")
EVAL-SeInteractiveLogonRight= if(match(Privilege,".+SeInteractiveLogonRight"),"Log on locally","X")
EVAL-SeServiceLogonRight= if(match(Privilege,".+SeServiceLogonRight"),"Logon as a service","X")
EVAL-SeDenyNetworkLogonRight= if(match(Privilege,".+SeDenyNetworkLogonRight"),"Deny Access to this computer from the network","X")
EVAL-SeDenyInteractiveLogonRight= if(match(Privilege,".+SeDenyInteractiveLogonRight"),"Deny local logon","X")
EVAL-SeDenyBatchLogonRight= if(match(Privilege,".+SeDenyBatchLogonRight"),"Deny logon as a batch file","X")
EVAL-SeDenyServiceLogonRight= if(match(Privilege,".+SeDenyServiceLogonRight"),"Deny logon as a service","X")
EVAL-SeTcbPrivilege= if(match(Privilege,".+SeTcbPrivilege"),"Act as part of the operating system","X")
EVAL-SeMachineAccountPrivilege= if(match(Privilege,".+SeMachineAccountPrivilege"),"Add workstations to the domain","X")
EVAL-SeBackupPrivilege= if(match(Privilege,".+SeBackupPrivilege"),"Backup files and directories","X")
EVAL-SeChangeNotifyPrivilege= if(match(Privilege,".+SeChangeNotifyPrivilege"),"Bypass traverse checking","X")
EVAL-SeSystemTimePrivilege= if(match(Privilege,".+SeSystemTimePrivilege"),"Change the system time","X")
EVAL-SeCreateTokenPrivilege= if(match(Privilege,".+SeCreateTokenPrivilege"),"Create a token object","X")
EVAL-SeCreatePermanentPrivilege= if(match(Privilege,".+SeCreatePermanentPrivilege"),"Create permanent shared objects","X")
EVAL-SeCreatePagefilePrivilege= if(match(Privilege,".+SeCreatePagefilePrivilege"),"Create a pagefile","X")
EVAL-SeDebugPrivilege= if(match(Privilege,".+SeDebugPrivilege"),"Debug programs","X")
EVAL-SeEnableDelegationPrivilege= if(match(Privilege,".+SeEnableDelegationPrivilege"),"Enable computer and user accounts to be trusted for delegation","X")
EVAL-SeRemoteShutdownPrivilege= if(match(Privilege,".+SeRemoteShutdownPrivilege"),"Force shutdown from a remote system","X")
EVAL-SeAuditPrivilege= if(match(Privilege,".+SeAuditPrivilege"),"Generate security audits","X")
EVAL-SeIncreaseQuotaPrivilege= if(match(Privilege,".+SeIncreaseQuotaPrivilege"),"Increase quotas","X")
EVAL-SeIncreaseBasePriorityPrivilege= if(match(Privilege,".+SeIncreaseBasePriorityPrivilege"),"Increase scheduling priority","X")
EVAL-SeLoadDriverPrivilege= if(match(Privilege,".+SeLoadDriverPrivilege"),"Load and unload device drivers","X")
EVAL-SeLockMemoryPrivilege= if(match(Privilege,".+SeLockMemoryPrivilege"),"Lock pages in memory","X")
EVAL-SeSecurityPrivilege= if(match(Privilege,".+SeSecurityPrivilege"),"Manage auditing and security log","X")
EVAL-SeSystemEnvironmentPrivilege= if(match(Privilege,".+SeSystemEnvironmentPrivilege"),"Modify firmware environment values","X")
EVAL-SeProfileSingleProcessPrivilege= if(match(Privilege,".+SeProfileSingleProcessPrivilege"),"Profile a single process","X")
EVAL-SeSystemProfilePrivilege= if(match(Privilege,".+SeSystemProfilePrivilege"),"Profile system performance","X")
EVAL-SeUndockPrivilege= if(match(Privilege,".+SeUndockPrivilege"),"Remove computer from docking station","X")
EVAL-SeAssignPrimaryTokenPrivilege= if(match(Privilege,".+SeAssignPrimaryTokenPrivilege"),"Replace a process-level token","X")
EVAL-SeRestorePrivilege= if(match(Privilege,".+SeRestorePrivilege"),"Restore files and directories","X")
EVAL-SeShutdownPrivilege= if(match(Privilege,".+SeShutdownPrivilege"),"Shut down the system","X")
EVAL-SeSyncAgentPrivilege= if(match(Privilege,".+SeSyncAgentPrivilege"),"Synchronize directory service data","X")
EVAL-SeTakeOwnershipPrivilege= if(match(Privilege,".+SeTakeOwnershipPrivilege"),"Take ownership of files or other objects","X")
EVAL-SeUnsolicitedInputPrivilege= if(match(Privilege,".+SeUnsolicitedInputPrivilege"),"Read unsolicited data from a terminal device","X")

this will create fields nemed like the Shortcut in the event. If this right is not set then there is an "X". Otherwise there is an Userfriendly discription.
Btw: this will work with every latin language just create an alias to Privileges.

View solution in original post

0 Karma

ndcl
Path Finder

OK,
based on Giuseppes Regex, there is this possible solution to get the lost fields reportable. There are of cause much more ways but I choosed this one. Adding an extraction and calculated fields to the props.conf.

EXTRACT-467_en = Privileges:\s(?<Privilege>[^ ]*) in _raw

EVAL-SeNetworkLogonRight= if(match(Privilege,".+SeNetworkLogonRight"),"Access this Computer from the Network","X")
EVAL-SeBatchLogonRight= if(match(Privilege,".+SeBatchLogonRight"),"Log on as a batch job","X")
EVAL-SeInteractiveLogonRight= if(match(Privilege,".+SeInteractiveLogonRight"),"Log on locally","X")
EVAL-SeServiceLogonRight= if(match(Privilege,".+SeServiceLogonRight"),"Logon as a service","X")
EVAL-SeDenyNetworkLogonRight= if(match(Privilege,".+SeDenyNetworkLogonRight"),"Deny Access to this computer from the network","X")
EVAL-SeDenyInteractiveLogonRight= if(match(Privilege,".+SeDenyInteractiveLogonRight"),"Deny local logon","X")
EVAL-SeDenyBatchLogonRight= if(match(Privilege,".+SeDenyBatchLogonRight"),"Deny logon as a batch file","X")
EVAL-SeDenyServiceLogonRight= if(match(Privilege,".+SeDenyServiceLogonRight"),"Deny logon as a service","X")
EVAL-SeTcbPrivilege= if(match(Privilege,".+SeTcbPrivilege"),"Act as part of the operating system","X")
EVAL-SeMachineAccountPrivilege= if(match(Privilege,".+SeMachineAccountPrivilege"),"Add workstations to the domain","X")
EVAL-SeBackupPrivilege= if(match(Privilege,".+SeBackupPrivilege"),"Backup files and directories","X")
EVAL-SeChangeNotifyPrivilege= if(match(Privilege,".+SeChangeNotifyPrivilege"),"Bypass traverse checking","X")
EVAL-SeSystemTimePrivilege= if(match(Privilege,".+SeSystemTimePrivilege"),"Change the system time","X")
EVAL-SeCreateTokenPrivilege= if(match(Privilege,".+SeCreateTokenPrivilege"),"Create a token object","X")
EVAL-SeCreatePermanentPrivilege= if(match(Privilege,".+SeCreatePermanentPrivilege"),"Create permanent shared objects","X")
EVAL-SeCreatePagefilePrivilege= if(match(Privilege,".+SeCreatePagefilePrivilege"),"Create a pagefile","X")
EVAL-SeDebugPrivilege= if(match(Privilege,".+SeDebugPrivilege"),"Debug programs","X")
EVAL-SeEnableDelegationPrivilege= if(match(Privilege,".+SeEnableDelegationPrivilege"),"Enable computer and user accounts to be trusted for delegation","X")
EVAL-SeRemoteShutdownPrivilege= if(match(Privilege,".+SeRemoteShutdownPrivilege"),"Force shutdown from a remote system","X")
EVAL-SeAuditPrivilege= if(match(Privilege,".+SeAuditPrivilege"),"Generate security audits","X")
EVAL-SeIncreaseQuotaPrivilege= if(match(Privilege,".+SeIncreaseQuotaPrivilege"),"Increase quotas","X")
EVAL-SeIncreaseBasePriorityPrivilege= if(match(Privilege,".+SeIncreaseBasePriorityPrivilege"),"Increase scheduling priority","X")
EVAL-SeLoadDriverPrivilege= if(match(Privilege,".+SeLoadDriverPrivilege"),"Load and unload device drivers","X")
EVAL-SeLockMemoryPrivilege= if(match(Privilege,".+SeLockMemoryPrivilege"),"Lock pages in memory","X")
EVAL-SeSecurityPrivilege= if(match(Privilege,".+SeSecurityPrivilege"),"Manage auditing and security log","X")
EVAL-SeSystemEnvironmentPrivilege= if(match(Privilege,".+SeSystemEnvironmentPrivilege"),"Modify firmware environment values","X")
EVAL-SeProfileSingleProcessPrivilege= if(match(Privilege,".+SeProfileSingleProcessPrivilege"),"Profile a single process","X")
EVAL-SeSystemProfilePrivilege= if(match(Privilege,".+SeSystemProfilePrivilege"),"Profile system performance","X")
EVAL-SeUndockPrivilege= if(match(Privilege,".+SeUndockPrivilege"),"Remove computer from docking station","X")
EVAL-SeAssignPrimaryTokenPrivilege= if(match(Privilege,".+SeAssignPrimaryTokenPrivilege"),"Replace a process-level token","X")
EVAL-SeRestorePrivilege= if(match(Privilege,".+SeRestorePrivilege"),"Restore files and directories","X")
EVAL-SeShutdownPrivilege= if(match(Privilege,".+SeShutdownPrivilege"),"Shut down the system","X")
EVAL-SeSyncAgentPrivilege= if(match(Privilege,".+SeSyncAgentPrivilege"),"Synchronize directory service data","X")
EVAL-SeTakeOwnershipPrivilege= if(match(Privilege,".+SeTakeOwnershipPrivilege"),"Take ownership of files or other objects","X")
EVAL-SeUnsolicitedInputPrivilege= if(match(Privilege,".+SeUnsolicitedInputPrivilege"),"Read unsolicited data from a terminal device","X")

this will create fields nemed like the Shortcut in the event. If this right is not set then there is an "X". Otherwise there is an Userfriendly discription.
Btw: this will work with every latin language just create an alias to Privileges.

0 Karma

skalliger
Motivator

Nevermind. Our field also only extracts the first line.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi dcl,
you have to extract field from "Privileges:" to the end and then divide them.
But to help you I need an event log: insert it as Code sample so it will remain the same.
Bye.
Giuseppe

0 Karma

ndcl
Path Finder

Giuseppe, Thanks for offering me your Help... but I only want to proof that I´m right... because this would have a much bigger impact if this happend to all the win event that have Tabstops in their massage field...

0 Karma

gcusello
SplunkTrust
SplunkTrust

Ok, if you're satisfied accept my answer.
Bye.
Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi dcl,
use a regex like (see https://regex101.com/r/bqvXJI/1)

Privileges:\s(?<Privilege>[^ ]*)

to have all privileges in the same field.
If in addition you want to separate each value in a row use mvexpand command.
Bye.
Giuseppe

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...