Splunk Search

Windows Event Code 4765

slander00
Explorer

I am having an issue trying to get the group name for windows security event ID 4765. I am a little new to using regex so I am not sure why it is not working. I used http://regex101.com to help build the regex and it seemed to work. But when I went to run in in Splunk I didn't get any results.

REGEX:
Group:\n\sSecurity ID:\s\s(?[^\n]+)

Example:

04/19/2018 01:21:15 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4756
EventType=0
Type=Information
ComputerName=DC.ACME.COM
TaskCategory=Security Group Management
OpCode=Info
RecordNumber=1098888999
Keywords=Audit Success
Message=A member was added to a security-enabled universal group.

Subject:
Security ID: ACME\HELLOWORLD
Account Name: HELLOWORLD
Account Domain: ACME
Logon ID: 0x33B39999

Member:
Security ID: ACME\testhello
Account Name: CN=TESTHELLO,OU=LA,OU=ACME_USERS,DC=ACME,DC=com

Group:
Security ID: ACME\HELLO-WORLD_PP
Account Name: HELLO-WORLD_PP
Account Domain: ACME

Additional Information:
Privileges: -

0 Karma

woodcock
Esteemed Legend

Your RegEx is not as flexible as it needs to be. Windows uses both newlines and linefeeds (it is a long, sad story). Try this:

Group:[\r\n\s]+Security ID:\s+([^\r\n\s]+)
0 Karma

slander00
Explorer

I am using the app but it isn't extracting a few fields for some eventcodes. I had to extract some other fields already.

0 Karma

adonio
Ultra Champion

are you using the windows TA?
https://splunkbase.splunk.com/app/742/
supposed to have all the extractions there

hope it helps

0 Karma