Splunk Search

How to prevent regex from matching till end of event? Extracting Group names from EventCode 4627

att35
Builder

Need some help in extracting Group Membership details from Windows Event Code 4627.

As explained in this answer,

https://community.splunk.com/t5/Splunk-Search/Regex-not-working-as-expected/m-p/470417

following seems to be working to extract Group_name, but capture doesn't stop once the group list ends. Instead, it continues to match everything till end of line. I experimented with (?ms) and (?m) but didnt have any succes. 

 

 

 

"(?ms)(?:^Group Membership:\t\t\t|\G(?!^))\r?\n[\t ]*(?:[^\\\r\n]*\\\)*(?<Group_name>(.+))"

 

 

 

 

 

09/04/2024 11:59:59 PM
LogName=Security
EventCode=4627
EventType=0
ComputerName=DCServer.domain.x.y
SourceName=Microsoft Windows security auditing.
Type=Information
RecordNumber=64222222324
Keywords=Audit Success
TaskCategory=Group Membership
OpCode=Info
Message=Group membership information.

Subject:
	Security ID:		NT AUTHORITY\SYSTEM
	Account Name:		DCServer$
	Account Domain:		Domain
	Logon ID:		0x1111

Logon Type:			3

New Logon:
	Security ID:		Domain\Account
	Account Name:		Account
	Account Domain:		Domain
	Logon ID:		0x5023236

Event in sequence:		1 of 1

Group Membership:			
		Domain\Group1
		Group2
		BUILTIN\Group3
		BUILTIN\Group4
		BUILTIN\Group5
		BUILTIN\Group6
		NT AUTHORITY\NETWORK
		NT AUTHORITY\Authenticated Users
		Domain\Group7

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

This event is generated when the Audit Group Membership subcategory is configured.  The Logon ID field can be used to correlate this event with the corresponding user logon event as well as to any other security audit events generated during this logon session.

 

 

 

When I use this regex, it does capture starting from the Group list but continues on till the end of event.

Group_name.png

How can I tell regex to stop matching once the group list ends? Also, this regex seems to be putting all groups as a single match. Is it possible to make it multi-valued, so that we can count total number of groups present in a given event, e.g. 9 groups in the event example above.

 

Thanks,

~Abhi

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| rex max_match=0 "(?m)^\t\t+(?<Group_name>.+)$"

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
| rex max_match=0 "(?m)^\t\t+(?<Group_name>.+)$"

att35
Builder

Thanks @ITWhisperer 

That worked perfectly. 

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...