Splunk Search

Regex for Windows Event from Syslog agent

leonheart78
Explorer

Hi, I'm trying to get the Target Account ID from the Windows Event parsed from a syslog agent. I'm trying to capture the Target Account Name, and Domain. The Account Name appeared in the below samples:

91275674
DEVOP0030
TEST. STUADMGR
dev.devmgr

When using Splunk regex, I could not capture all the above variations. Will love to know how can I do this extraction properly.

2017-08-30 13:37:40 Kernel.Notice 172.21.197.99 Aug 30 13:37:56 DVDMZDCPRD01.dmz.devops.edu.my MSWinEventLog 5 Security 2548728 Wed Aug 30 13:37:50 2017 4738 Microsoft-Windows-Security-Auditing N/A Audit Success DVDMZDCPRD01.dmz.devops.edu.my 13824 A user account was changed.
Subject:
Security ID: S-1-5-21-3530313057-30343534556-3718217427-2613
Account Name: svc.vendor_guest
Account Domain: DMZ
Logon ID: 0x2524625D
Target Account:
Security ID: S-1-5-21-3530313057-3021056205-3718217427-25067
||Account Name: 91275674||
||Account Domain: DMZ||
Changed Attributes:
SAM Account Name: -
Display Name: -
User Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set: 8/30/2017 1:37:50 PM
Account Expires: -
Primary Group ID: -
AllowedToDelegateTo: -
Old UAC Value: -
New UAC Value: -
User Account Control: -
User Parameters: -
SID History: -
Logon Hours: -
Additional Information:
Privileges: -

Tags (2)
0 Karma
1 Solution

aholzel
Communicator

I use this regex to make the Windows Eventlog Security CIM compliant for the Change Analysis and Authentication datamodel. It works with all the events I have encounterd that have 2 accounts in the event (subject and target)

(?s)Subject\:.*?Account\s*Name\:\s*(?<src_user>[^\n]*)\n\s*Account\s*Domain\:\s*(?<src_nt_domain>[^\n]*).*?Account\s*Name\:\s*(?<user>[^\n]*)(?:\n\s*Account\s*Domain\:\s*(?<dest_nt_domain>[^\n]*)|\n)

I assumed you put the "|" around the Account Name and Domain Name to make clear what you were looking for....

View solution in original post

aholzel
Communicator

I use this regex to make the Windows Eventlog Security CIM compliant for the Change Analysis and Authentication datamodel. It works with all the events I have encounterd that have 2 accounts in the event (subject and target)

(?s)Subject\:.*?Account\s*Name\:\s*(?<src_user>[^\n]*)\n\s*Account\s*Domain\:\s*(?<src_nt_domain>[^\n]*).*?Account\s*Name\:\s*(?<user>[^\n]*)(?:\n\s*Account\s*Domain\:\s*(?<dest_nt_domain>[^\n]*)|\n)

I assumed you put the "|" around the Account Name and Domain Name to make clear what you were looking for....

leonheart78
Explorer

Thanks for the regex. May I know were you able to extract the Change Attributes as well?
Thank you.

0 Karma

aholzel
Communicator

I am working on that one, but from a Change Analysis DM view point, to fill the object_attrs field with the name of the attributes that where changed.

If you just want all the fields you can just create a regex for it.
I think you have 3 options for that
1) create 1 regex that will extract every field available using the <_KEY_1> and <_VAL_1> options ( read the transforms.conf documentation REGEX part)
2) create a regex for every field you want to extract
3) create 1 regex that will get all the "Changed Attributes" field, Note that this will not "hit" if one field is missing

I whould go for option 1 because it is the most flexible, despite the fact that it will give me some additional fields without a value ( for example Changed_Attributes)

0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with William Searle

The Splunk Guy: A Developer’s Path from Web to Cloud William is a Splunk Professional Services Consultant with ...

Major Splunk Upgrade – Prepare your Environment for Splunk 10 Now!

Attention App Developers: Test Your Apps with the Splunk 10.0 Beta and Ensure Compatibility Before the ...

Stay Connected: Your Guide to June Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...