Splunk Search

How to extract field from Windows event log

davidjohnbecket
Path Finder

The event I have is from a windows event log and AppLocker

See below:

LogName=Microsoft-Windows-AppLocker/EXE and DLL
SourceName=Microsoft-Windows-AppLocker
EventCode=8002
EventType=4
Type=Information
SidType=1
TaskCategory=None
OpCode=Info
RecordNumber=24254
Keywords=None
Message=%SYSTEM32%\TASKHOSTW.EXE was allowed to run.

I would like to extract the new field labeled "Application" and have the search return the TASKHOSTW.EXE

How can I do this? (Regex is not my strong suit)

p.s. Happy to do the extraction at the time of the search.

0 Karma
1 Solution

mayurr98
Super Champion

Try this run anywhere search

| makeresults 
| eval data="LogName=Microsoft-Windows-AppLocker/EXE and DLL
SourceName=Microsoft-Windows-AppLocker
EventCode=8002
EventType=4
Type=Information
SidType=1
TaskCategory=None
OpCode=Info
RecordNumber=24254
Keywords=None
Message=%SYSTEM32%\TASKHOSTW.EXE was allowed to run." 
| rex field=data "Message=.*\\\(?<Application>[^\s]+)\s\w+"

On your prod data the code would be

| rex field=_raw "Message=.*\\\(?<Application>[^\s]+)\s\w+"

View solution in original post

vik_splunk
Communicator

Hi @davidjohnbeckettorb

If it's a regex you would like to use, below should work for you.

|rex field=Message "(?i)^.+\\(?P<'Application'>[^\s]+)"

provided you are trying to capture the value between the first This-->\ and the next space that appears.

Please remove the '' in Application while attempting it. Not sure how I include text in angular

There are other ways to achieve this using an eval and it can be explored if you need to.

davidjohnbecket
Path Finder

Thank you @vik_splunk - worked a treat!

0 Karma

mayurr98
Super Champion

Try this run anywhere search

| makeresults 
| eval data="LogName=Microsoft-Windows-AppLocker/EXE and DLL
SourceName=Microsoft-Windows-AppLocker
EventCode=8002
EventType=4
Type=Information
SidType=1
TaskCategory=None
OpCode=Info
RecordNumber=24254
Keywords=None
Message=%SYSTEM32%\TASKHOSTW.EXE was allowed to run." 
| rex field=data "Message=.*\\\(?<Application>[^\s]+)\s\w+"

On your prod data the code would be

| rex field=_raw "Message=.*\\\(?<Application>[^\s]+)\s\w+"

davidjohnbecket
Path Finder

Thank you @ mayurr98. Add this to my search and pulled out the application nicely. Much appreciated

0 Karma
Get Updates on the Splunk Community!

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...