I am having an issue trying to get the group name for windows security event ID 4765. I am a little new to using regex so I am not sure why it is not working. I used http://regex101.com to help build the regex and it seemed to work. But when I went to run in in Splunk I didn't get any results.
REGEX:
Group:\n\sSecurity ID:\s\s(?[^\n]+)
Example:
04/19/2018 01:21:15 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4756
EventType=0
Type=Information
ComputerName=DC.ACME.COM
TaskCategory=Security Group Management
OpCode=Info
RecordNumber=1098888999
Keywords=Audit Success
Message=A member was added to a security-enabled universal group.
Subject:
Security ID: ACME\HELLOWORLD
Account Name: HELLOWORLD
Account Domain: ACME
Logon ID: 0x33B39999
Member:
Security ID: ACME\testhello
Account Name: CN=TESTHELLO,OU=LA,OU=ACME_USERS,DC=ACME,DC=com
Group:
Security ID: ACME\HELLO-WORLD_PP
Account Name: HELLO-WORLD_PP
Account Domain: ACME
Additional Information:
Privileges: -
... View more