Solved: Regex for Windows Event from Syslog agent

leonheart78 · ‎09-11-2017

Hi, I'm trying to get the Target Account ID from the Windows Event parsed from a syslog agent. I'm trying to capture the Target Account Name, and Domain. The Account Name appeared in the below samples:

91275674
DEVOP0030
TEST. STUADMGR
dev.devmgr

When using Splunk regex, I could not capture all the above variations. Will love to know how can I do this extraction properly.

2017-08-30 13:37:40 Kernel.Notice 172.21.197.99 Aug 30 13:37:56 DVDMZDCPRD01.dmz.devops.edu.my MSWinEventLog 5 Security 2548728 Wed Aug 30 13:37:50 2017 4738 Microsoft-Windows-Security-Auditing N/A Audit Success DVDMZDCPRD01.dmz.devops.edu.my 13824 A user account was changed.
Subject:
Security ID: S-1-5-21-3530313057-30343534556-3718217427-2613
Account Name: svc.vendor_guest
Account Domain: DMZ
Logon ID: 0x2524625D
Target Account:
Security ID: S-1-5-21-3530313057-3021056205-3718217427-25067
||Account Name: 91275674||
||Account Domain: DMZ||
Changed Attributes:
SAM Account Name: -
Display Name: -
User Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set: 8/30/2017 1:37:50 PM
Account Expires: -
Primary Group ID: -
AllowedToDelegateTo: -
Old UAC Value: -
New UAC Value: -
User Account Control: -
User Parameters: -
SID History: -
Logon Hours: -
Additional Information:
Privileges: -

aholzel · ‎09-11-2017

I use this regex to make the Windows Eventlog Security CIM compliant for the Change Analysis and Authentication datamodel. It works with all the events I have encounterd that have 2 accounts in the event (subject and target)

(?s)Subject\:.*?Account\s*Name\:\s*(?<src_user>[^\n]*)\n\s*Account\s*Domain\:\s*(?<src_nt_domain>[^\n]*).*?Account\s*Name\:\s*(?<user>[^\n]*)(?:\n\s*Account\s*Domain\:\s*(?<dest_nt_domain>[^\n]*)|\n)

I assumed you put the "|" around the Account Name and Domain Name to make clear what you were looking for....

View solution in original post

aholzel · ‎09-11-2017

I use this regex to make the Windows Eventlog Security CIM compliant for the Change Analysis and Authentication datamodel. It works with all the events I have encounterd that have 2 accounts in the event (subject and target)

(?s)Subject\:.*?Account\s*Name\:\s*(?<src_user>[^\n]*)\n\s*Account\s*Domain\:\s*(?<src_nt_domain>[^\n]*).*?Account\s*Name\:\s*(?<user>[^\n]*)(?:\n\s*Account\s*Domain\:\s*(?<dest_nt_domain>[^\n]*)|\n)

I assumed you put the "|" around the Account Name and Domain Name to make clear what you were looking for....

leonheart78 · ‎09-11-2017

Thanks for the regex. May I know were you able to extract the Change Attributes as well?
Thank you.

aholzel · ‎09-12-2017

I am working on that one, but from a Change Analysis DM view point, to fill the object_attrs field with the name of the attributes that where changed.

If you just want all the fields you can just create a regex for it.
I think you have 3 options for that
1) create 1 regex that will extract every field available using the <_KEY_1> and <_VAL_1> options ( read the transforms.conf documentation REGEX part)
2) create a regex for every field you want to extract
3) create 1 regex that will get all the "Changed Attributes" field, Note that this will not "hit" if one field is missing

I whould go for option 1 because it is the most flexible, despite the fact that it will give me some additional fields without a value ( for example Changed_Attributes)

Regex for Windows Event from Syslog agent

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...