Splunk Search

Search Using Regular Expression is Case-Sensitive

Explorer

I'm using a regular expression to locate a certain field in a particular event and then return results where the contents of that field are "like" a certain string. However, what I'm finding is that the "like" operator is matching based on case. Similarly, when I switch the query to match the string exactly (i.e., using "="), this too is case-sensitive.

The example below returns the desired result. However, if I make the following change, no result is returned:

where (like (LoginSecurityID,"%UserName%"))
--to--
where (like (LoginSecurityID,"%username%"))

Any idea on how I can make this case INsensitive? Thanks for the help.

Search Being Run

EventCode=4688
| rex "(?ms)Security ID:..(?<Login_Security_ID>[DOMAIN]+.\w+.\w+)"
| rex "(?ms)New Process Name:..(?<New_Process_Name>.\S*)"
| where New_Process_Name=":\Windows\System32\mmc.exe"
| where (like (Login_Security_ID,"%UserName%")) 
| eval attemptoutcome = keywords

Event Attempting to Return

08/10/2018 10:37:47 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=server.DOMAIN.com
TaskCategory=Process Creation
OpCode=Info
RecordNumber=6646657
Keywords=Audit Success
Message=A new process has been created.

Subject:
    Security ID:        DOMAIN\srvcUserName
    Account Name:       srvcUserName
    Account Domain:     DOMAIN
    Logon ID:       0xd3245f55

Process Information:
    New Process ID:     0x9b4
    New Process Name:   C:\Windows\System32\mmc.exe
    Token Elevation Type:   TokenElevationTypeLimited (3)
    Creator Process ID: 0xf48
    Process Command Line:
1 Solution

SplunkTrust
SplunkTrust

@adamfiore, for case insensitive match please use match() function with (?i) parameter:

| where match(New_Process_Name,"(?i)\\\windows\\\system32\\\mmc.exe") AND match(Login_Security_ID,"(?i)username")

Following is a run anywhere example based on your sample data:

| makeresults 
| eval _raw=" 08/10/2018 10:37:47 AM
 LogName=Security
 SourceName=Microsoft Windows security auditing.
 EventCode=4688
 EventType=0
 Type=Information
 ComputerName=server.DOMAIN.com
 TaskCategory=Process Creation
 OpCode=Info
 RecordNumber=6646657
 Keywords=Audit Success
 Message=A new process has been created.

 Subject:
     Security ID:        DOMAIN\srvcUserName
     Account Name:        srvcUserName
     Account Domain:        DOMAIN
     Logon ID:        0xd3245f55

 Process Information:
     New Process ID:        0x9b4
     New Process Name:    C:\Windows\System32\mmc.exe
     Token Elevation Type:    TokenElevationTypeLimited (3)
     Creator Process ID:    0xf48
     Process Command Line:" 
| rex "Security ID:\s+(?<Login_Security_ID>[^\s]+)\s"
| rex "New Process Name:\s+(?<New_Process_Name>[^\s]+)\s"
| where match(New_Process_Name,"(?i)\\\windows\\\system32\\\mmc.exe") AND match(Login_Security_ID,"(?i)username")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

SplunkTrust
SplunkTrust

@adamfiore, for case insensitive match please use match() function with (?i) parameter:

| where match(New_Process_Name,"(?i)\\\windows\\\system32\\\mmc.exe") AND match(Login_Security_ID,"(?i)username")

Following is a run anywhere example based on your sample data:

| makeresults 
| eval _raw=" 08/10/2018 10:37:47 AM
 LogName=Security
 SourceName=Microsoft Windows security auditing.
 EventCode=4688
 EventType=0
 Type=Information
 ComputerName=server.DOMAIN.com
 TaskCategory=Process Creation
 OpCode=Info
 RecordNumber=6646657
 Keywords=Audit Success
 Message=A new process has been created.

 Subject:
     Security ID:        DOMAIN\srvcUserName
     Account Name:        srvcUserName
     Account Domain:        DOMAIN
     Logon ID:        0xd3245f55

 Process Information:
     New Process ID:        0x9b4
     New Process Name:    C:\Windows\System32\mmc.exe
     Token Elevation Type:    TokenElevationTypeLimited (3)
     Creator Process ID:    0xf48
     Process Command Line:" 
| rex "Security ID:\s+(?<Login_Security_ID>[^\s]+)\s"
| rex "New Process Name:\s+(?<New_Process_Name>[^\s]+)\s"
| where match(New_Process_Name,"(?i)\\\windows\\\system32\\\mmc.exe") AND match(Login_Security_ID,"(?i)username")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Explorer

@ niketnilay Thanks for the reply. Same as above though, this didn't work for me. I also tried using (?i) with the like function, as well as matching the case of the username exactly as it's appearing in the event, but even that failed to return a result. Here are a few of the variations I tried:

| where match (LoginSecurityID,"(?i)domain\srvcusername")
| where match (LoginSecurityID,"(?i)DOMAIN\srvcUserName")
| where like (LoginSecurityID,"(?i)domain\srvcusername")
| where match (LoginSecurityID,"(?i)DOMAIN\srvcUserName")
| where like (LoginSecurityID,"(?i)%username")

0 Karma

SplunkTrust
SplunkTrust

@adamfiore two things need to be changed...

1) use \\ to escape each \ in the path as stated in my answer.
2) Use AND to join multiple match conditions together as stated in my answer instead of using separate pipes.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Builder

Hello, I think you need to escape that backslash as follows:
where match (LoginSecurityID,"(?i)DOMAIN\\srvcUserName")

Explorer

Thanks @chanfoli, that worked. Assuming I can't use the "%" wildcard with "match", like this:

| where match (LoginSecurityID,"(?i)%srvcusername")

0 Karma

Communicator

Replace the two where statements with a subsearch.

| search NewProcessName="C:\Windows\System32\mmc.exe" AND LoginSecurityID = username

Explorer

@anthonymelita Thanks for the reply, but I'm afraid this didn't work. In fact, I couldn't get the sub-search to work even when I matched the case of the username in the search query exactly as it's showing up in the event, as seen below:

| search NewProcessName="C:\Windows\System32\mmc.exe" AND LoginSecurityID = DOMAIN\srvcUserName

0 Karma