Splunk Search

How to create a regex to return events with specific usernames in a field?

adamfiore
Explorer

I am trying to create a search that returns only those events that have a specific username (or part of a username) in the Account Name field under Target Account. I have zero experience with regular expressions, but based on some other posts I was able to put together a regex that seems to locate the appropriate field (which I tested on regex101.com). However, I can't seem to get the search to work - I've tried three different variations, and all error out. One final note, I'm using "like" because in the final iteration of the search, I'll be looking for any username that contains a specific suffix, not just one specific account. Appreciate the help.

WORKING REGEX

(?ms)Target Account:.*Security ID:.*Account Name:\s+(?<Account_Name>[^ ]*)

SAMPLE EVENT

6/25/2018 01:07:58 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4723
EventType=0
Type=Information
ComputerName=SERVER.TRX.COM
TaskCategory=User Account Management
OpCode=Info
RecordNumber=329720657
Keywords=Audit Success
Message=An attempt was made to change an account's password.
Subject:
    Security ID:        TRX\jsmith
    Account Name:   jsmith
    Account TRX:        TRX
    Logon ID:       0x6368FECE
Target Account:
    Security ID:        TRX\jsmith
    Account Name:   jsmith
    Account TRX:        TRX
Additional Information:
    Privileges

SEARCH THAT WORKS (But does not use the regular expression)

EventCode=4723 OR EventCode=4724 | where like (Account_Name,"jsmith")

REGEX SEARCHES TRIED

EventCode=4723 OR EventCode=4724 | where like ((regex "(?ms)Target Account:.*Security ID:.*Account Name:\s+(?<Account_Name>[^ ]*)"),"jsmith")
EventCode=4723 OR EventCode=4724 | where like ((regex = "(?ms)Target Account:.*Security ID:.*Account Name:\s+(?<Account_Name>[^ ]*)"),"jsmith")
EventCode=4723 OR EventCode=4724 | where like ((regex = (?ms)Target Account:.*Security ID:.*Account Name:\s+(?<Account_Name>[^ ]*)),"jsmith")
Tags (2)
0 Karma
1 Solution

jkat54
SplunkTrust
SplunkTrust

Try this:

https://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Regex

... root search ... | regex AccountName=“Regex”

Or even this

... root search ... | rex “Target Account:.*Security ID:.*Account Name:\s+(?<Account_Name>[^ ]*)” | where Account_Name=jsmith

View solution in original post

0 Karma

the_wolverine
Champion

You don't need to use the regex command if the field extract already exists:

root search jsmith OR AccountName=jsmith

0 Karma

aholzer
Motivator

These look like winEventLog:Security. You should look into using the Splunk TA for windows and the out of the box sourcetypes that come with it to handle this type of data. Then your extractions will work automatically rather than having to write your own.

In terms of running an inline regex what @jkat54 said is correct, just run your base search followed by ... | regex "(?ms)Target Account:.*Security ID:.*Account Name:\s+jsmith"

adamfiore
Explorer

Thanks. That worked and I'll also look into TA for Windows. Appreciate the help.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Try this:

https://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Regex

... root search ... | regex AccountName=“Regex”

Or even this

... root search ... | rex “Target Account:.*Security ID:.*Account Name:\s+(?<Account_Name>[^ ]*)” | where Account_Name=jsmith
0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...