Splunk Enterprise Security

Extracting multiple values in a Splunk Search

enymanu
New Member

**Hi All, I need help extracting {0000000-0000-0000-0000-000000000000} and {0000000-0000-0000-0000-000000000000} from the log sample below during search. This is what i have so far:

sourcetype=wineventlog EventCode="4662" Account_Name="\$" Access_Mask=0x100 (Object_Type="%{19195a5b-6da0-11d0-afd3-00c04fd930c9}" OR ObjectT_ype="domainDNS") | rex field=Message "Properties: (?P[^\s]+) {1131f6ad-9c07-11d1-f79f-00c04fc2dcd2} " | rex field=Message "Properties: (?P[^\s]+) {9923a32a-3607-11d2-b9be-0000f87a36b2} " | rex field=Message "Properties: (?P[^\s]+) {1131f6ac-9c07-11d1-f79f-00c04fc2dcd2} "
Please help me fix this search.
*

LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4662
EventType=0
Type=Information
ComputerName=gghasfv.net
TaskCategory=Directory Service Access
OpCode=Info
RecordNumber=0000000
Keywords=Audit Success
Message=An operation was performed on an object.

Subject :
Security ID: S-1-5-21-0000000-0000-0000-0000-000000000000
Account Name: NAME$
Account Domain: GOAL
Logon ID: GOAL

Object:
Object Server: DS
Object Type: %{0000000-0000-0000-0000-000000000000}
Object Name: %{0000000-0000-0000-0000-000000000000}
Handle ID:

Operation:
Operation Type: Object Access
Accesses: Control Access

Access Mask:        0x100
Properties:     Control Access
    {0000000-0000-0000-0000-000000000000}
{0000000-0000-0000-0000-000000000000}

Additional Information:
Parameter 1:
Parameter 2

0 Karma
1 Solution

to4kawa
Ultra Champion

Reference:

DS-Install-Replica 9923a32a-3607-11d2-b9be-0000f87a36b2 
DS-Replication-Manage-Topology 1131f6ac-9c07-11d1-f79f-00c04fc2dcd2
Schema-Id-Guid 19195a5b-6da0-11d0-afd3-00c04fd930c9

cf. https://www.praetorian.com/blog/active-directory-visualization-for-blue-teams-and-threat-hunters

your search
| rex max_match=0 "[^%](?<guid>{.*})"

try rex max_match . this command exclude Object Type and Object Name

View solution in original post

0 Karma

to4kawa
Ultra Champion

Reference:

DS-Install-Replica 9923a32a-3607-11d2-b9be-0000f87a36b2 
DS-Replication-Manage-Topology 1131f6ac-9c07-11d1-f79f-00c04fc2dcd2
Schema-Id-Guid 19195a5b-6da0-11d0-afd3-00c04fd930c9

cf. https://www.praetorian.com/blog/active-directory-visualization-for-blue-teams-and-threat-hunters

your search
| rex max_match=0 "[^%](?<guid>{.*})"

try rex max_match . this command exclude Object Type and Object Name

0 Karma

enymanu
New Member

This is my updated search. It is not filtering the properties.

sourcetype=wineventlog (EventCode="4662" Account_Name="\$" Access_Mask=0x100 (Object_Type="%{19195a5b-6da0-11d0-afd3-00c04fd930c9}" OR Object_Type="domainDNS")) OR (EventCode="4624" session_id!="NT AUTHORITY" Account_Domain!="Window Manager") | rex max_match=0 "^%" | search (guid="{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}" OR guid = "{9923a32a-3607-11d2-b9be-0000f87a36b2}" OR guid = "{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}")

0 Karma

to4kawa
Ultra Champion

guid is multivalue. search can't work.

sourcetype=wineventlog  ("{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}" OR "{9923a32a-3607-11d2-b9be-0000f87a36b2}" OR "{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}") (EventCode="4662" OR EventCode="4624")

How is this?
I guess if extra results appear, useNOT
you can do it.

0 Karma

enymanu
New Member

This works fine but it slow. Is there away it can be accelerated

0 Karma

to4kawa
Ultra Champion

(EventCode="4662" Account_Name="\$" Access_Mask=0x100 (Object_Type="%{19195a5b-6da0-11d0-afd3-00c04fd930c9}" OR Object_Type="domainDNS")) can use on same way.It will be faster.

0 Karma

codebuilder
SplunkTrust
SplunkTrust

If this is properly structured xml or json just use mvexpand on your multi-value field. You can also pipe that to "search" for a specific value in the MV field.

https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Mvexpand

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...