- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- EventCode 4672 extraction prob?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
did anyone also figure out that the 4672 Windows Event is not completly extracted by splunk?
4672 is a importent Event because it shows the previlegs of a logon account. It´s raw looks like this:
Special privileges assigned to new logon.
Subject:
Security ID: WIN-R9H529RIO4Y\Administrator
Account Name: Administrator
Account Domain: WIN-R9H529RIO4Y
Logon ID: 0x4b842
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Ok, hard to format here, but the section Privileges has a tabstop in every row. What happend if you do a stats list on the Privileges Field is that it only shows the first row: SeSecurityPrivilege. If you use mvindex(Privileges,0) every index bigger than 0 is empty. This means to me that only the first row was extracted and the rest is skipped... To bad because this are some very valuable information.
Can someone confirm this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK,
based on Giuseppes Regex, there is this possible solution to get the lost fields reportable. There are of cause much more ways but I choosed this one. Adding an extraction and calculated fields to the props.conf.
EXTRACT-467_en = Privileges:\s(?<Privilege>[^ ]*) in _raw
EVAL-SeNetworkLogonRight= if(match(Privilege,".+SeNetworkLogonRight"),"Access this Computer from the Network","X")
EVAL-SeBatchLogonRight= if(match(Privilege,".+SeBatchLogonRight"),"Log on as a batch job","X")
EVAL-SeInteractiveLogonRight= if(match(Privilege,".+SeInteractiveLogonRight"),"Log on locally","X")
EVAL-SeServiceLogonRight= if(match(Privilege,".+SeServiceLogonRight"),"Logon as a service","X")
EVAL-SeDenyNetworkLogonRight= if(match(Privilege,".+SeDenyNetworkLogonRight"),"Deny Access to this computer from the network","X")
EVAL-SeDenyInteractiveLogonRight= if(match(Privilege,".+SeDenyInteractiveLogonRight"),"Deny local logon","X")
EVAL-SeDenyBatchLogonRight= if(match(Privilege,".+SeDenyBatchLogonRight"),"Deny logon as a batch file","X")
EVAL-SeDenyServiceLogonRight= if(match(Privilege,".+SeDenyServiceLogonRight"),"Deny logon as a service","X")
EVAL-SeTcbPrivilege= if(match(Privilege,".+SeTcbPrivilege"),"Act as part of the operating system","X")
EVAL-SeMachineAccountPrivilege= if(match(Privilege,".+SeMachineAccountPrivilege"),"Add workstations to the domain","X")
EVAL-SeBackupPrivilege= if(match(Privilege,".+SeBackupPrivilege"),"Backup files and directories","X")
EVAL-SeChangeNotifyPrivilege= if(match(Privilege,".+SeChangeNotifyPrivilege"),"Bypass traverse checking","X")
EVAL-SeSystemTimePrivilege= if(match(Privilege,".+SeSystemTimePrivilege"),"Change the system time","X")
EVAL-SeCreateTokenPrivilege= if(match(Privilege,".+SeCreateTokenPrivilege"),"Create a token object","X")
EVAL-SeCreatePermanentPrivilege= if(match(Privilege,".+SeCreatePermanentPrivilege"),"Create permanent shared objects","X")
EVAL-SeCreatePagefilePrivilege= if(match(Privilege,".+SeCreatePagefilePrivilege"),"Create a pagefile","X")
EVAL-SeDebugPrivilege= if(match(Privilege,".+SeDebugPrivilege"),"Debug programs","X")
EVAL-SeEnableDelegationPrivilege= if(match(Privilege,".+SeEnableDelegationPrivilege"),"Enable computer and user accounts to be trusted for delegation","X")
EVAL-SeRemoteShutdownPrivilege= if(match(Privilege,".+SeRemoteShutdownPrivilege"),"Force shutdown from a remote system","X")
EVAL-SeAuditPrivilege= if(match(Privilege,".+SeAuditPrivilege"),"Generate security audits","X")
EVAL-SeIncreaseQuotaPrivilege= if(match(Privilege,".+SeIncreaseQuotaPrivilege"),"Increase quotas","X")
EVAL-SeIncreaseBasePriorityPrivilege= if(match(Privilege,".+SeIncreaseBasePriorityPrivilege"),"Increase scheduling priority","X")
EVAL-SeLoadDriverPrivilege= if(match(Privilege,".+SeLoadDriverPrivilege"),"Load and unload device drivers","X")
EVAL-SeLockMemoryPrivilege= if(match(Privilege,".+SeLockMemoryPrivilege"),"Lock pages in memory","X")
EVAL-SeSecurityPrivilege= if(match(Privilege,".+SeSecurityPrivilege"),"Manage auditing and security log","X")
EVAL-SeSystemEnvironmentPrivilege= if(match(Privilege,".+SeSystemEnvironmentPrivilege"),"Modify firmware environment values","X")
EVAL-SeProfileSingleProcessPrivilege= if(match(Privilege,".+SeProfileSingleProcessPrivilege"),"Profile a single process","X")
EVAL-SeSystemProfilePrivilege= if(match(Privilege,".+SeSystemProfilePrivilege"),"Profile system performance","X")
EVAL-SeUndockPrivilege= if(match(Privilege,".+SeUndockPrivilege"),"Remove computer from docking station","X")
EVAL-SeAssignPrimaryTokenPrivilege= if(match(Privilege,".+SeAssignPrimaryTokenPrivilege"),"Replace a process-level token","X")
EVAL-SeRestorePrivilege= if(match(Privilege,".+SeRestorePrivilege"),"Restore files and directories","X")
EVAL-SeShutdownPrivilege= if(match(Privilege,".+SeShutdownPrivilege"),"Shut down the system","X")
EVAL-SeSyncAgentPrivilege= if(match(Privilege,".+SeSyncAgentPrivilege"),"Synchronize directory service data","X")
EVAL-SeTakeOwnershipPrivilege= if(match(Privilege,".+SeTakeOwnershipPrivilege"),"Take ownership of files or other objects","X")
EVAL-SeUnsolicitedInputPrivilege= if(match(Privilege,".+SeUnsolicitedInputPrivilege"),"Read unsolicited data from a terminal device","X")
this will create fields nemed like the Shortcut in the event. If this right is not set then there is an "X". Otherwise there is an Userfriendly discription.
Btw: this will work with every latin language just create an alias to Privileges.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK,
based on Giuseppes Regex, there is this possible solution to get the lost fields reportable. There are of cause much more ways but I choosed this one. Adding an extraction and calculated fields to the props.conf.
EXTRACT-467_en = Privileges:\s(?<Privilege>[^ ]*) in _raw
EVAL-SeNetworkLogonRight= if(match(Privilege,".+SeNetworkLogonRight"),"Access this Computer from the Network","X")
EVAL-SeBatchLogonRight= if(match(Privilege,".+SeBatchLogonRight"),"Log on as a batch job","X")
EVAL-SeInteractiveLogonRight= if(match(Privilege,".+SeInteractiveLogonRight"),"Log on locally","X")
EVAL-SeServiceLogonRight= if(match(Privilege,".+SeServiceLogonRight"),"Logon as a service","X")
EVAL-SeDenyNetworkLogonRight= if(match(Privilege,".+SeDenyNetworkLogonRight"),"Deny Access to this computer from the network","X")
EVAL-SeDenyInteractiveLogonRight= if(match(Privilege,".+SeDenyInteractiveLogonRight"),"Deny local logon","X")
EVAL-SeDenyBatchLogonRight= if(match(Privilege,".+SeDenyBatchLogonRight"),"Deny logon as a batch file","X")
EVAL-SeDenyServiceLogonRight= if(match(Privilege,".+SeDenyServiceLogonRight"),"Deny logon as a service","X")
EVAL-SeTcbPrivilege= if(match(Privilege,".+SeTcbPrivilege"),"Act as part of the operating system","X")
EVAL-SeMachineAccountPrivilege= if(match(Privilege,".+SeMachineAccountPrivilege"),"Add workstations to the domain","X")
EVAL-SeBackupPrivilege= if(match(Privilege,".+SeBackupPrivilege"),"Backup files and directories","X")
EVAL-SeChangeNotifyPrivilege= if(match(Privilege,".+SeChangeNotifyPrivilege"),"Bypass traverse checking","X")
EVAL-SeSystemTimePrivilege= if(match(Privilege,".+SeSystemTimePrivilege"),"Change the system time","X")
EVAL-SeCreateTokenPrivilege= if(match(Privilege,".+SeCreateTokenPrivilege"),"Create a token object","X")
EVAL-SeCreatePermanentPrivilege= if(match(Privilege,".+SeCreatePermanentPrivilege"),"Create permanent shared objects","X")
EVAL-SeCreatePagefilePrivilege= if(match(Privilege,".+SeCreatePagefilePrivilege"),"Create a pagefile","X")
EVAL-SeDebugPrivilege= if(match(Privilege,".+SeDebugPrivilege"),"Debug programs","X")
EVAL-SeEnableDelegationPrivilege= if(match(Privilege,".+SeEnableDelegationPrivilege"),"Enable computer and user accounts to be trusted for delegation","X")
EVAL-SeRemoteShutdownPrivilege= if(match(Privilege,".+SeRemoteShutdownPrivilege"),"Force shutdown from a remote system","X")
EVAL-SeAuditPrivilege= if(match(Privilege,".+SeAuditPrivilege"),"Generate security audits","X")
EVAL-SeIncreaseQuotaPrivilege= if(match(Privilege,".+SeIncreaseQuotaPrivilege"),"Increase quotas","X")
EVAL-SeIncreaseBasePriorityPrivilege= if(match(Privilege,".+SeIncreaseBasePriorityPrivilege"),"Increase scheduling priority","X")
EVAL-SeLoadDriverPrivilege= if(match(Privilege,".+SeLoadDriverPrivilege"),"Load and unload device drivers","X")
EVAL-SeLockMemoryPrivilege= if(match(Privilege,".+SeLockMemoryPrivilege"),"Lock pages in memory","X")
EVAL-SeSecurityPrivilege= if(match(Privilege,".+SeSecurityPrivilege"),"Manage auditing and security log","X")
EVAL-SeSystemEnvironmentPrivilege= if(match(Privilege,".+SeSystemEnvironmentPrivilege"),"Modify firmware environment values","X")
EVAL-SeProfileSingleProcessPrivilege= if(match(Privilege,".+SeProfileSingleProcessPrivilege"),"Profile a single process","X")
EVAL-SeSystemProfilePrivilege= if(match(Privilege,".+SeSystemProfilePrivilege"),"Profile system performance","X")
EVAL-SeUndockPrivilege= if(match(Privilege,".+SeUndockPrivilege"),"Remove computer from docking station","X")
EVAL-SeAssignPrimaryTokenPrivilege= if(match(Privilege,".+SeAssignPrimaryTokenPrivilege"),"Replace a process-level token","X")
EVAL-SeRestorePrivilege= if(match(Privilege,".+SeRestorePrivilege"),"Restore files and directories","X")
EVAL-SeShutdownPrivilege= if(match(Privilege,".+SeShutdownPrivilege"),"Shut down the system","X")
EVAL-SeSyncAgentPrivilege= if(match(Privilege,".+SeSyncAgentPrivilege"),"Synchronize directory service data","X")
EVAL-SeTakeOwnershipPrivilege= if(match(Privilege,".+SeTakeOwnershipPrivilege"),"Take ownership of files or other objects","X")
EVAL-SeUnsolicitedInputPrivilege= if(match(Privilege,".+SeUnsolicitedInputPrivilege"),"Read unsolicited data from a terminal device","X")
this will create fields nemed like the Shortcut in the event. If this right is not set then there is an "X". Otherwise there is an Userfriendly discription.
Btw: this will work with every latin language just create an alias to Privileges.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nevermind. Our field also only extracts the first line.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi dcl,
you have to extract field from "Privileges:" to the end and then divide them.
But to help you I need an event log: insert it as Code sample so it will remain the same.
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Giuseppe, Thanks for offering me your Help... but I only want to proof that I´m right... because this would have a much bigger impact if this happend to all the win event that have Tabstops in their massage field...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, if you're satisfied accept my answer.
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi dcl,
use a regex like (see https://regex101.com/r/bqvXJI/1)
Privileges:\s(?<Privilege>[^ ]*)
to have all privileges in the same field.
If in addition you want to separate each value in a row use mvexpand command.
Bye.
Giuseppe
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
