Solved: Re: How to create a regex to return events with sp...

adamfiore · ‎06-26-2018

I am trying to create a search that returns only those events that have a specific username (or part of a username) in the Account Name field under Target Account. I have zero experience with regular expressions, but based on some other posts I was able to put together a regex that seems to locate the appropriate field (which I tested on regex101.com). However, I can't seem to get the search to work - I've tried three different variations, and all error out. One final note, I'm using "like" because in the final iteration of the search, I'll be looking for any username that contains a specific suffix, not just one specific account. Appreciate the help.

WORKING REGEX

(?ms)Target Account:.*Security ID:.*Account Name:\s+(?<Account_Name>[^ ]*)

SAMPLE EVENT

6/25/2018 01:07:58 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4723
EventType=0
Type=Information
ComputerName=SERVER.TRX.COM
TaskCategory=User Account Management
OpCode=Info
RecordNumber=329720657
Keywords=Audit Success
Message=An attempt was made to change an account's password.
Subject:
    Security ID:        TRX\jsmith
    Account Name:   jsmith
    Account TRX:        TRX
    Logon ID:       0x6368FECE
Target Account:
    Security ID:        TRX\jsmith
    Account Name:   jsmith
    Account TRX:        TRX
Additional Information:
    Privileges

SEARCH THAT WORKS (But does not use the regular expression)

EventCode=4723 OR EventCode=4724 | where like (Account_Name,"jsmith")

REGEX SEARCHES TRIED

EventCode=4723 OR EventCode=4724 | where like ((regex "(?ms)Target Account:.*Security ID:.*Account Name:\s+(?<Account_Name>[^ ]*)"),"jsmith")
EventCode=4723 OR EventCode=4724 | where like ((regex = "(?ms)Target Account:.*Security ID:.*Account Name:\s+(?<Account_Name>[^ ]*)"),"jsmith")
EventCode=4723 OR EventCode=4724 | where like ((regex = (?ms)Target Account:.*Security ID:.*Account Name:\s+(?<Account_Name>[^ ]*)),"jsmith")

jkat54 · ‎06-26-2018

Try this:

https://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Regex

... root search ... | regex AccountName=“Regex”

Or even this

... root search ... | rex “Target Account:.*Security ID:.*Account Name:\s+(?<Account_Name>[^ ]*)” | where Account_Name=jsmith

View solution in original post

the_wolverine · ‎06-27-2018

You don't need to use the regex command if the field extract already exists:

root search jsmith OR AccountName=jsmith

aholzer · ‎06-26-2018

These look like winEventLog:Security. You should look into using the Splunk TA for windows and the out of the box sourcetypes that come with it to handle this type of data. Then your extractions will work automatically rather than having to write your own.

In terms of running an inline regex what @jkat54 said is correct, just run your base search followed by ... | regex "(?ms)Target Account:.*Security ID:.*Account Name:\s+jsmith"

adamfiore · ‎06-27-2018

Thanks. That worked and I'll also look into TA for Windows. Appreciate the help.

jkat54 · ‎06-26-2018

Try this:

https://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Regex

... root search ... | regex AccountName=“Regex”

Or even this

... root search ... | rex “Target Account:.*Security ID:.*Account Name:\s+(?<Account_Name>[^ ]*)” | where Account_Name=jsmith

How to create a regex to return events with specific usernames in a field?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...