Solved: Regex for Windows Event from Syslog agent

leonheart78 · ‎09-11-2017

Hi, I'm trying to get the Target Account ID from the Windows Event parsed from a syslog agent. I'm trying to capture the Target Account Name, and Domain. The Account Name appeared in the below samples:

91275674
DEVOP0030
TEST. STUADMGR
dev.devmgr

When using Splunk regex, I could not capture all the above variations. Will love to know how can I do this extraction properly.

2017-08-30 13:37:40 Kernel.Notice 172.21.197.99 Aug 30 13:37:56 DVDMZDCPRD01.dmz.devops.edu.my MSWinEventLog 5 Security 2548728 Wed Aug 30 13:37:50 2017 4738 Microsoft-Windows-Security-Auditing N/A Audit Success DVDMZDCPRD01.dmz.devops.edu.my 13824 A user account was changed.
Subject:
Security ID: S-1-5-21-3530313057-30343534556-3718217427-2613
Account Name: svc.vendor_guest
Account Domain: DMZ
Logon ID: 0x2524625D
Target Account:
Security ID: S-1-5-21-3530313057-3021056205-3718217427-25067
||Account Name: 91275674||
||Account Domain: DMZ||
Changed Attributes:
SAM Account Name: -
Display Name: -
User Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set: 8/30/2017 1:37:50 PM
Account Expires: -
Primary Group ID: -
AllowedToDelegateTo: -
Old UAC Value: -
New UAC Value: -
User Account Control: -
User Parameters: -
SID History: -
Logon Hours: -
Additional Information:
Privileges: -

aholzel · ‎09-11-2017

I use this regex to make the Windows Eventlog Security CIM compliant for the Change Analysis and Authentication datamodel. It works with all the events I have encounterd that have 2 accounts in the event (subject and target)

(?s)Subject\:.*?Account\s*Name\:\s*(?<src_user>[^\n]*)\n\s*Account\s*Domain\:\s*(?<src_nt_domain>[^\n]*).*?Account\s*Name\:\s*(?<user>[^\n]*)(?:\n\s*Account\s*Domain\:\s*(?<dest_nt_domain>[^\n]*)|\n)

I assumed you put the "|" around the Account Name and Domain Name to make clear what you were looking for....

View solution in original post

aholzel · ‎09-11-2017

I use this regex to make the Windows Eventlog Security CIM compliant for the Change Analysis and Authentication datamodel. It works with all the events I have encounterd that have 2 accounts in the event (subject and target)

(?s)Subject\:.*?Account\s*Name\:\s*(?<src_user>[^\n]*)\n\s*Account\s*Domain\:\s*(?<src_nt_domain>[^\n]*).*?Account\s*Name\:\s*(?<user>[^\n]*)(?:\n\s*Account\s*Domain\:\s*(?<dest_nt_domain>[^\n]*)|\n)

I assumed you put the "|" around the Account Name and Domain Name to make clear what you were looking for....

leonheart78 · ‎09-11-2017

Thanks for the regex. May I know were you able to extract the Change Attributes as well?
Thank you.

aholzel · ‎09-12-2017

I am working on that one, but from a Change Analysis DM view point, to fill the object_attrs field with the name of the attributes that where changed.

If you just want all the fields you can just create a regex for it.
I think you have 3 options for that
1) create 1 regex that will extract every field available using the <_KEY_1> and <_VAL_1> options ( read the transforms.conf documentation REGEX part)
2) create a regex for every field you want to extract
3) create 1 regex that will get all the "Changed Attributes" field, Note that this will not "hit" if one field is missing

I whould go for option 1 because it is the most flexible, despite the fact that it will give me some additional fields without a value ( for example Changed_Attributes)

Regex for Windows Event from Syslog agent

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!