Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search Using Regular Expression is Case-Sensitive

adamfiore
Explorer
‎08-10-2018 09:22 AM

I'm using a regular expression to locate a certain field in a particular event and then return results where the contents of that field are "like" a certain string. However, what I'm finding is that the "like" operator is matching based on case. Similarly, when I switch the query to match the string exactly (i.e., using "="), this too is case-sensitive.

The example below returns the desired result. However, if I make the following change, no result is returned:

where (like (Login_Security_ID,"%UserName%"))
--to--
where (like (Login_Security_ID,"%username%"))

Any idea on how I can make this case INsensitive? Thanks for the help.

Search Being Run

EventCode=4688
| rex "(?ms)Security ID:..(?<Login_Security_ID>[DOMAIN]+.\w+.\w+)"
| rex "(?ms)New Process Name:..(?<New_Process_Name>.\S*)"
| where New_Process_Name=":\Windows\System32\mmc.exe"
| where (like (Login_Security_ID,"%UserName%")) 
| eval attemptoutcome = keywords

Event Attempting to Return

08/10/2018 10:37:47 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=server.DOMAIN.com
TaskCategory=Process Creation
OpCode=Info
RecordNumber=6646657
Keywords=Audit Success
Message=A new process has been created.

Subject:
    Security ID:        DOMAIN\srvcUserName
    Account Name:       srvcUserName
    Account Domain:     DOMAIN
    Logon ID:       0xd3245f55

Process Information:
    New Process ID:     0x9b4
    New Process Name:   C:\Windows\System32\mmc.exe
    Token Elevation Type:   TokenElevationTypeLimited (3)
    Creator Process ID: 0xf48
    Process Command Line:
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎08-10-2018 10:25 AM

@adamfiore, for case insensitive match please use match() function with (?i) parameter:

| where match(New_Process_Name,"(?i)\\\windows\\\system32\\\mmc.exe") AND match(Login_Security_ID,"(?i)username")

Following is a run anywhere example based on your sample data:

| makeresults 
| eval _raw=" 08/10/2018 10:37:47 AM
 LogName=Security
 SourceName=Microsoft Windows security auditing.
 EventCode=4688
 EventType=0
 Type=Information
 ComputerName=server.DOMAIN.com
 TaskCategory=Process Creation
 OpCode=Info
 RecordNumber=6646657
 Keywords=Audit Success
 Message=A new process has been created.

 Subject:
     Security ID:        DOMAIN\srvcUserName
     Account Name:        srvcUserName
     Account Domain:        DOMAIN
     Logon ID:        0xd3245f55

 Process Information:
     New Process ID:        0x9b4
     New Process Name:    C:\Windows\System32\mmc.exe
     Token Elevation Type:    TokenElevationTypeLimited (3)
     Creator Process ID:    0xf48
     Process Command Line:" 
| rex "Security ID:\s+(?<Login_Security_ID>[^\s]+)\s"
| rex "New Process Name:\s+(?<New_Process_Name>[^\s]+)\s"
| where match(New_Process_Name,"(?i)\\\windows\\\system32\\\mmc.exe") AND match(Login_Security_ID,"(?i)username")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎08-10-2018 10:25 AM

@adamfiore, for case insensitive match please use match() function with (?i) parameter:

| where match(New_Process_Name,"(?i)\\\windows\\\system32\\\mmc.exe") AND match(Login_Security_ID,"(?i)username")

Following is a run anywhere example based on your sample data:

| makeresults 
| eval _raw=" 08/10/2018 10:37:47 AM
 LogName=Security
 SourceName=Microsoft Windows security auditing.
 EventCode=4688
 EventType=0
 Type=Information
 ComputerName=server.DOMAIN.com
 TaskCategory=Process Creation
 OpCode=Info
 RecordNumber=6646657
 Keywords=Audit Success
 Message=A new process has been created.

 Subject:
     Security ID:        DOMAIN\srvcUserName
     Account Name:        srvcUserName
     Account Domain:        DOMAIN
     Logon ID:        0xd3245f55

 Process Information:
     New Process ID:        0x9b4
     New Process Name:    C:\Windows\System32\mmc.exe
     Token Elevation Type:    TokenElevationTypeLimited (3)
     Creator Process ID:    0xf48
     Process Command Line:" 
| rex "Security ID:\s+(?<Login_Security_ID>[^\s]+)\s"
| rex "New Process Name:\s+(?<New_Process_Name>[^\s]+)\s"
| where match(New_Process_Name,"(?i)\\\windows\\\system32\\\mmc.exe") AND match(Login_Security_ID,"(?i)username")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

adamfiore
Explorer
‎08-14-2018 07:39 AM

@ niketnilay Thanks for the reply. Same as above though, this didn't work for me. I also tried using (?i) with the like function, as well as matching the case of the username exactly as it's appearing in the event, but even that failed to return a result. Here are a few of the variations I tried:

| where match (Login_Security_ID,"(?i)domain\srvcusername")
| where match (Login_Security_ID,"(?i)DOMAIN\srvcUserName")
| where like (Login_Security_ID,"(?i)domain\srvcusername")
| where match (Login_Security_ID,"(?i)DOMAIN\srvcUserName")
| where like (Login_Security_ID,"(?i)%username")

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎08-14-2018 08:41 AM

@adamfiore two things need to be changed...

1) use \\ to escape each \ in the path as stated in my answer.
2) Use AND to join multiple match conditions together as stated in my answer instead of using separate pipes.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

chanfoli
Builder
‎08-14-2018 07:48 AM

Hello, I think you need to escape that backslash as follows:
where match (Login_Security_ID,"(?i)DOMAIN\\srvcUserName")

Reply
Solved! Jump to solution

adamfiore
Explorer
‎08-14-2018 08:39 AM

Thanks @chanfoli, that worked. Assuming I can't use the "%" wildcard with "match", like this:

| where match (Login_Security_ID,"(?i)%srvcusername")

0 Karma
Reply
Solved! Jump to solution

anthonymelita
Contributor
‎08-10-2018 09:55 AM

Replace the two where statements with a subsearch.

| search New_Process_Name="C:\Windows\System32\mmc.exe" AND Login_Security_ID = username

Reply
Solved! Jump to solution

adamfiore
Explorer
‎08-14-2018 07:34 AM

@anthonymelita Thanks for the reply, but I'm afraid this didn't work. In fact, I couldn't get the sub-search to work even when I matched the case of the username in the search query exactly as it's showing up in the event, as seen below:

| search New_Process_Name="C:\Windows\System32\mmc.exe" AND Login_Security_ID = DOMAIN\srvcUserName

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...