I want a regular expression to pull a file name out of a path that is the process field. The path could be any directory, and the filename could be named anything.
Sample logs.
Oct 25 14:47:20 server.domain.local Oct 25 14:47:19 172.23.0.24 system event: text="Modification (Create Key) of registry '\registry\machine\system\currentcontrolset\services\napagent\qecs\' by 'company\user' was allowed." type="Policy Enforcement" subtype="Report write (registry rule)" hostname="domain\computer" username="domain\user" date="10/25/2017 7:46:25 PM" ip_address="172.23.1.13" process="c:\windows\system32\mmc.exe" policy="Windows Medium Enforcement" rule_name="FIM_OSSEC" process_key="00000000-0000-15e8-01d3-490915c2f584" server_version="7.2.1.1903" process_trust="10" process_threat="0"
Oct 25 13:31:5""0 server2.domain.local Oct 25 13:31:43 172.23.0.24 1 2017-10-25T18:31:43Z server2.domain.local - - - - event: text="'c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\administrative tools' was created by 'domain\user'." type="Policy Enforcement" subtype="Report write (custom rule)" hostname="domain\user" username="domain\user" date="10/25/2017 6:30:38 PM" ip_address="172.16.1.12" process="c:\windows\system32\mmc.exe" file_path="c:\users\dccon\appdata\roaming\microsoft\windows\start menu\programs\administrative tools" file_name="administrative tools" policy="Windows High Enforcement" rule_name="FIM_Directory" process_key="00000000-0000-0848-01d3-4d9cda329d68" server_version="7.2.1.1903" process_trust="10" process_threat="0"
Try this to get filename
and directory
in two separate fields.
your query to return events
| rex "\sprocess=\"(?<directory>(\S+\\))(?<filename>[^\"]+)\""
| table directory, filename
If you need all in one field called file
then try this
your query to return events
| rex "\sprocess=\"(?<file>[^\"]+)\""
Try this to get filename
and directory
in two separate fields.
your query to return events
| rex "\sprocess=\"(?<directory>(\S+\\))(?<filename>[^\"]+)\""
| table directory, filename
If you need all in one field called file
then try this
your query to return events
| rex "\sprocess=\"(?<file>[^\"]+)\""
Ah, so i didn't account for file paths with spaces like below.
Oct 26 07:51:38 server.domain.local Oct 26 07:51:37 172.23.0.24 system event: text="'c:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\7396c420a8e1bc1da97f1af0d10bad21' was created by 'domain\user'." type="Policy Enforcement" subtype="Report write (custom rule)" hostname="domain\user" username="domain\user" date="10/26/2017 12:50:01 PM" ip_address="172.12.0.12" process="c:\program files\microsoft sql server\mssql10_50.mssqlserver\mssql\binn\databasemail.exe" file_path="c:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\7396c420a8e1bc1da97f1af0d10bad21" file_name="7396c420a8e1bc1da97f1af0d10bad21" policy="Windows High Enforcement" rule_name="FIM_Directory" process_key="00000000-0000-1bc4-01d3-4e58efc90f89" server_version="7.2.1.1903" process_trust="10" process_threat="0"
process=".+\(?[^"]+)" (policy|file_path)=
^.+\sprocess="(?<filename>.+?)".+$