Hi all,
I need a regex to grep a few bits from the following raw data:
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3xxxxxxxxx}'/><EventID>4662</EventID><Version>0</Version><Level>0</Level><Task>12804</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2020-09-01T07:00:18.999999800Z'/><EventRecordID>35xxxx65</EventRecordID><Correlation ActivityID='{5xxxxxxxx-b61d-0004-afc0-ac531db6d901}'/><Execution ProcessID='1520' ThreadID='1628'/><Channel>Security</Channel><Computer>XXXXXXXXXXXXXX.riv</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>XXXXXXX$</Data><Data Name='SubjectDomainName'>XXXXXXXX</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='ObjectServer'>WMI</Data><Data Name='ObjectType'>WMI Namespace</Data><Data Name='ObjectName'>ROOT\CIMV2\Security\MicrosoftTpm</Data><Data Name='OperationType'>Object Access</Data><Data Name='HandleId'>0x0</Data><Data Name='AccessList'>%%1552 %%1553 </Data><Data Name='AccessMask'>0x3</Data><Data Name='Properties'>-</Data><Data Name='AdditionalInfo'>Local Execute (ExecMethod)</Data><Data Name='AdditionalInfo2'>ROOT\CIMV2\Security\MicrosoftTpm:Win32_Tpm=@::GetOwnerAuthForEscrow</Data></EventData></Event>
I need:
1. <EventID>4662</EventID>
2. <Data Name='ObjectType'>WMI Namespace</Data>
3. <Data Name='ObjectName'>ROOT\CIMV2\Security\MicrosoftTpm</Data>
4. <Data Name='AdditionalInfo2'>ROOT\CIMV2\Security\MicrosoftTpm:Win32_Tpm=@::GetOwnerAuthForEscrow</Data>
Thank you!
There were a few problems with the regular expression that caused it to fail to match the desired text . Try the query below.
| makeresults
| fields - _time
| eval _raw="<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3xxxxxxxxx}'/><EventID>4662</EventID><Version>0</Version><Level>0</Level><Task>12804</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2020-09-01T07:00:18.999999800Z'/><EventRecordID>35xxxx65</EventRecordID><Correlation ActivityID='{5xxxxxxxx-b61d-0004-afc0-ac531db6d901}'/><Execution ProcessID='1520' ThreadID='1628'/><Channel>Security</Channel><Computer>XXXXXXXXXXXXXX.riv</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>XXXXXXX$</Data><Data Name='SubjectDomainName'>XXXXXXXX</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='ObjectServer'>WMI</Data><Data Name='ObjectType'>WMI Namespace</Data><Data Name='ObjectName'>ROOT\CIMV2\Security\MicrosoftTpm</Data><Data Name='OperationType'>Object Access</Data><Data Name='HandleId'>0x0</Data><Data Name='AccessList'>%%1552 %%1553 </Data><Data Name='AccessMask'>0x3</Data><Data Name='Properties'>-</Data><Data Name='AdditionalInfo'>Local Execute (ExecMethod)</Data><Data Name='AdditionalInfo2'>ROOT\CIMV2\Security\MicrosoftTpm:Win32_Tpm=@::GetOwnerAuthForEscrow</Data></EventData></Event>"
| rex mode=sed "s/.*(\<EventID>4662\<\/EventID>).*(\<\Data Name='SubjectUserName'>.*?\<\/Data>).*/\1\2/g"