**Hi All, I need help extracting {0000000-0000-0000-0000-000000000000} and {0000000-0000-0000-0000-000000000000} from the log sample below during search. This is what i have so far:
sourcetype=wineventlog EventCode="4662" Account_Name="\$" Access_Mask=0x100 (Object_Type="%{19195a5b-6da0-11d0-afd3-00c04fd930c9}" OR ObjectT_ype="domainDNS") | rex field=Message "Properties: (?P[^\s]+) {1131f6ad-9c07-11d1-f79f-00c04fc2dcd2} " | rex field=Message "Properties: (?P[^\s]+) {9923a32a-3607-11d2-b9be-0000f87a36b2} " | rex field=Message "Properties: (?P[^\s]+) {1131f6ac-9c07-11d1-f79f-00c04fc2dcd2} "
Please help me fix this search.*
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4662
EventType=0
Type=Information
ComputerName=gghasfv.net
TaskCategory=Directory Service Access
OpCode=Info
RecordNumber=0000000
Keywords=Audit Success
Message=An operation was performed on an object.
Subject :
Security ID: S-1-5-21-0000000-0000-0000-0000-000000000000
Account Name: NAME$
Account Domain: GOAL
Logon ID: GOAL
Object:
Object Server: DS
Object Type: %{0000000-0000-0000-0000-000000000000}
Object Name: %{0000000-0000-0000-0000-000000000000}
Handle ID:
Operation:
Operation Type: Object Access
Accesses: Control Access
Access Mask: 0x100
Properties: Control Access
{0000000-0000-0000-0000-000000000000}
{0000000-0000-0000-0000-000000000000}
Additional Information:
Parameter 1:
Parameter 2
Reference:
DS-Install-Replica 9923a32a-3607-11d2-b9be-0000f87a36b2
DS-Replication-Manage-Topology 1131f6ac-9c07-11d1-f79f-00c04fc2dcd2
Schema-Id-Guid 19195a5b-6da0-11d0-afd3-00c04fd930c9
cf. https://www.praetorian.com/blog/active-directory-visualization-for-blue-teams-and-threat-hunters
your search
| rex max_match=0 "[^%](?<guid>{.*})"
try rex max_match
. this command exclude Object Type and Object Name
Reference:
DS-Install-Replica 9923a32a-3607-11d2-b9be-0000f87a36b2
DS-Replication-Manage-Topology 1131f6ac-9c07-11d1-f79f-00c04fc2dcd2
Schema-Id-Guid 19195a5b-6da0-11d0-afd3-00c04fd930c9
cf. https://www.praetorian.com/blog/active-directory-visualization-for-blue-teams-and-threat-hunters
your search
| rex max_match=0 "[^%](?<guid>{.*})"
try rex max_match
. this command exclude Object Type and Object Name
This is my updated search. It is not filtering the properties.
sourcetype=wineventlog (EventCode="4662" Account_Name="\$" Access_Mask=0x100 (Object_Type="%{19195a5b-6da0-11d0-afd3-00c04fd930c9}" OR Object_Type="domainDNS")) OR (EventCode="4624" session_id!="NT AUTHORITY" Account_Domain!="Window Manager") | rex max_match=0 "^%" | search (guid="{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}" OR guid = "{9923a32a-3607-11d2-b9be-0000f87a36b2}" OR guid = "{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}")
guid is multivalue. search
can't work.
sourcetype=wineventlog ("{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}" OR "{9923a32a-3607-11d2-b9be-0000f87a36b2}" OR "{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}") (EventCode="4662" OR EventCode="4624")
How is this?
I guess if extra results appear, useNOT
you can do it.
This works fine but it slow. Is there away it can be accelerated
(EventCode="4662" Account_Name="\$" Access_Mask=0x100 (Object_Type="%{19195a5b-6da0-11d0-afd3-00c04fd930c9}" OR Object_Type="domainDNS"))
can use on same way.It will be faster.
If this is properly structured xml or json just use mvexpand on your multi-value field. You can also pipe that to "search" for a specific value in the MV field.
https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Mvexpand