The event I have is from a windows event log and AppLocker
See below:
LogName=Microsoft-Windows-AppLocker/EXE and DLL
SourceName=Microsoft-Windows-AppLocker
EventCode=8002
EventType=4
Type=Information
SidType=1
TaskCategory=None
OpCode=Info
RecordNumber=24254
Keywords=None
Message=%SYSTEM32%\TASKHOSTW.EXE was allowed to run.
I would like to extract the new field labeled "Application" and have the search return the TASKHOSTW.EXE
How can I do this? (Regex is not my strong suit)
p.s. Happy to do the extraction at the time of the search.
Try this run anywhere search
| makeresults
| eval data="LogName=Microsoft-Windows-AppLocker/EXE and DLL
SourceName=Microsoft-Windows-AppLocker
EventCode=8002
EventType=4
Type=Information
SidType=1
TaskCategory=None
OpCode=Info
RecordNumber=24254
Keywords=None
Message=%SYSTEM32%\TASKHOSTW.EXE was allowed to run."
| rex field=data "Message=.*\\\(?<Application>[^\s]+)\s\w+"
On your prod data the code would be
| rex field=_raw "Message=.*\\\(?<Application>[^\s]+)\s\w+"
Hi @davidjohnbeckettorb
If it's a regex you would like to use, below should work for you.
|rex field=Message "(?i)^.+\\(?P<'Application'>[^\s]+)"
provided you are trying to capture the value between the first This-->\ and the next space that appears.
Please remove the '' in Application while attempting it. Not sure how I include text in angular
There are other ways to achieve this using an eval and it can be explored if you need to.
Thank you @vik_splunk - worked a treat!
Try this run anywhere search
| makeresults
| eval data="LogName=Microsoft-Windows-AppLocker/EXE and DLL
SourceName=Microsoft-Windows-AppLocker
EventCode=8002
EventType=4
Type=Information
SidType=1
TaskCategory=None
OpCode=Info
RecordNumber=24254
Keywords=None
Message=%SYSTEM32%\TASKHOSTW.EXE was allowed to run."
| rex field=data "Message=.*\\\(?<Application>[^\s]+)\s\w+"
On your prod data the code would be
| rex field=_raw "Message=.*\\\(?<Application>[^\s]+)\s\w+"
Thank you @ mayurr98. Add this to my search and pulled out the application nicely. Much appreciated