Solved: Regex to pull a filename out of a process field pa...

jared_anderson · ‎10-25-2017

I want a regular expression to pull a file name out of a path that is the process field. The path could be any directory, and the filename could be named anything.

Sample logs.

Oct 25 14:47:20 server.domain.local Oct 25 14:47:19 172.23.0.24 system event: text="Modification (Create Key) of registry '\registry\machine\system\currentcontrolset\services\napagent\qecs\' by 'company\user' was allowed." type="Policy Enforcement" subtype="Report write (registry rule)" hostname="domain\computer" username="domain\user" date="10/25/2017 7:46:25 PM" ip_address="172.23.1.13" process="c:\windows\system32\mmc.exe" policy="Windows Medium Enforcement" rule_name="FIM_OSSEC" process_key="00000000-0000-15e8-01d3-490915c2f584" server_version="7.2.1.1903" process_trust="10" process_threat="0"

Oct 25 13:31:5""0 server2.domain.local Oct 25 13:31:43 172.23.0.24 1 2017-10-25T18:31:43Z server2.domain.local - - - - event: text="'c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\administrative tools' was created by 'domain\user'." type="Policy Enforcement" subtype="Report write (custom rule)" hostname="domain\user" username="domain\user" date="10/25/2017 6:30:38 PM" ip_address="172.16.1.12" process="c:\windows\system32\mmc.exe" file_path="c:\users\dccon\appdata\roaming\microsoft\windows\start menu\programs\administrative tools" file_name="administrative tools" policy="Windows High Enforcement" rule_name="FIM_Directory" process_key="00000000-0000-0848-01d3-4d9cda329d68" server_version="7.2.1.1903" process_trust="10" process_threat="0"

gokadroid · ‎10-25-2017

Try this to get filename and directory in two separate fields.

your query to return events 
| rex "\sprocess=\"(?<directory>(\S+\\))(?<filename>[^\"]+)\""
| table directory, filename

See above regex here

If you need all in one field called file then try this

your query to return events
| rex "\sprocess=\"(?<file>[^\"]+)\""

See above regex here

View solution in original post

gokadroid · ‎10-25-2017

Try this to get filename and directory in two separate fields.

your query to return events 
| rex "\sprocess=\"(?<directory>(\S+\\))(?<filename>[^\"]+)\""
| table directory, filename

See above regex here

If you need all in one field called file then try this

your query to return events
| rex "\sprocess=\"(?<file>[^\"]+)\""

See above regex here

jared_anderson · ‎10-26-2017

Ah, so i didn't account for file paths with spaces like below.

Oct 26 07:51:38 server.domain.local Oct 26 07:51:37 172.23.0.24 system event: text="'c:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\7396c420a8e1bc1da97f1af0d10bad21' was created by 'domain\user'." type="Policy Enforcement" subtype="Report write (custom rule)" hostname="domain\user" username="domain\user" date="10/26/2017 12:50:01 PM" ip_address="172.12.0.12" process="c:\program files\microsoft sql server\mssql10_50.mssqlserver\mssql\binn\databasemail.exe" file_path="c:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\7396c420a8e1bc1da97f1af0d10bad21" file_name="7396c420a8e1bc1da97f1af0d10bad21" policy="Windows High Enforcement" rule_name="FIM_Directory" process_key="00000000-0000-1bc4-01d3-4e58efc90f89" server_version="7.2.1.1903" process_trust="10" process_threat="0"

jared_anderson · ‎10-26-2017

process=".+\(?[^"]+)" (policy|file_path)=

Damien_Dallimor · ‎10-25-2017

^.+\sprocess="(?<filename>.+?)".+$

Regex to pull a filename out of a process field path

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...