New Policy:
Success Failure
+ + Logon/Logoff
+ - Object Access
+ - Privilege Use
+ + Account Management
+ - Policy Change
+ - System
+ - Detailed Tracking
+ - Directory Service Access
+ + Account Logon
I want to be able to list these in a chart so that it displays the new policy that has changed in each field. I am not sure how to create a regex to generate this type of results. Let me know if more information is needed. Thank you
I would suggest this:
sourcetype=WinEvent:Security
| rex field=_raw "New Policy: Success Failure (?<newPolicy>.*?)Changed By:"
| eval newPolicies=replace(newPolicy,"([+-] [+-])",":\1")
| eval newPolicies=split(newPolicies,":")
| eval newPolicies=mvfilter(newPolicies!=NULL)
| table EventCode newPolicies
This will give you a multi-valued field (newPolicies) for the policy changes, as well as a single-valued field that is simply the policy change string (newPolicy).
However, you might want to expand this in a different way, depending on the exact reporting that you want.
What sort of reporting do you want to do with this field? Count by policy change? Search for particular changes? Look for various +/- combinations?
How do you know that a policy field has changed? Is it the + and - ?
I updated the search above, hopefully eliminating the mvfilter error
it says:
Error in 'eval' command: The arguments to the 'mvfilter' function are invalid.
I would like to list the new policy fields that have changed from the old ones, but i am not sure how i would go about doing that. Thank you for the response
Any suggestions?
yes it is WinEvent:Security
LogName=Security SourceName=Security EventCode=612 EventType=8 Type=Success Audit ComputerName=W573712 User=SYSTEM Sid=S-1-5-18 SidType=1 Category=6 CategoryString=Policy Change RecordNumber=325253 Message=Audit Policy Change: New Policy: Success Failure + + Logon/Logoff - + Object Access - - Privilege Use + + Account Management + - Policy Change + - System - - Detailed Tracking - - Directory Service Access + + Account Logon Changed By: User Name: W57371248$ Domain Name: SERVER Logon ID: (0x0,0x3E7)
What is the sourcetype? And can you show an example of the data? (I'm guessing that it's the WinEvent:Security, but some folks don't have samples of that data available to them.)