Re: Windows Event Code 4765

slander00 · ‎04-19-2018

I am having an issue trying to get the group name for windows security event ID 4765. I am a little new to using regex so I am not sure why it is not working. I used http://regex101.com to help build the regex and it seemed to work. But when I went to run in in Splunk I didn't get any results.

REGEX:
Group:\n\sSecurity ID:\s\s(?[^\n]+)

Example:

04/19/2018 01:21:15 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4756
EventType=0
Type=Information
ComputerName=DC.ACME.COM
TaskCategory=Security Group Management
OpCode=Info
RecordNumber=1098888999
Keywords=Audit Success
Message=A member was added to a security-enabled universal group.

Subject:
Security ID: ACME\HELLOWORLD
Account Name: HELLOWORLD
Account Domain: ACME
Logon ID: 0x33B39999

Member:
Security ID: ACME\testhello
Account Name: CN=TESTHELLO,OU=LA,OU=ACME_USERS,DC=ACME,DC=com

Group:
Security ID: ACME\HELLO-WORLD_PP
Account Name: HELLO-WORLD_PP
Account Domain: ACME

Additional Information:
Privileges: -

woodcock · ‎04-22-2018

Your RegEx is not as flexible as it needs to be. Windows uses both newlines and linefeeds (it is a long, sad story). Try this:

Group:[\r\n\s]+Security ID:\s+([^\r\n\s]+)

slander00 · ‎04-20-2018

I am using the app but it isn't extracting a few fields for some eventcodes. I had to extract some other fields already.

adonio · ‎04-19-2018

are you using the windows TA?
https://splunkbase.splunk.com/app/742/
supposed to have all the extractions there

hope it helps

Windows Event Code 4765

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!