Understanding Parse Regex

Comments

2 comments

  • Avatar
    Olaf Stein

    Hi Blake,

    our regex engine uses the same syntax as most others, there are many resources out there, I personally like these 2:

    https://www.regular-expressions.info/tutorial.html

    https://zeroturnaround.com/rebellabs/java-regular-expressions-cheat-sheet/

    As for Windows logs, they are tricky, here is an example to parse all the relevant fields from 4625 events:

    | parse regex "Logon\sType:\t+(?<logon_type>\d{1,2})\r"
    | parse regex "Subject:[\s\S]+?Account\sName:\t+(?<src_user>[^\r]+)"
    | parse regex "Subject:[\s\S]+?Account\sDomain:\t+(?<src_domain>[^\r]+)"
    | parse regex "Account\sFor\sWhich\sLogon\sFailed:[\s\S]+?Account\sName:\t+(?<dest_user>[^\r]+)"
    | parse regex "Account\sFor\sWhich\sLogon\sFailed:[\s\S]+?Account\sDomain:\t+(?<dest_domain>[^\r]+)"
    | parse regex "Network\sInformation:[\s\S]+?Workstation\sName:\t+(?<wkstation>[^\r]+)"
    | parse regex "Network\sInformation:[\s\S]+?Source\sNetwork\sAddress:\t+(?<src_ip>[^\r]+)"
    | parse regex "Failure\sInformation:[\s\S]+?Failure\sReason:\t+(?<fail_reason>[^\r]+)"
    | parse regex "Failure\sInformation:[\s\S]+?Status:\t+(?<fail_status>[^\r]+)"
    | parse regex "Logon\sProcess:\t+(?<logon_process>[^\r]+)"

    This looks complicated but is actually always the same. Two things of note:

    1) The regex itself leverages the key/value pair nature of these logs and the fact that there is always a new line after the value

    (?<logon_process>[^\r]+)

    After we have arrived at the beginning of the value we just match everything until we hit a new line

    2) Some Keys show up twice, for example Account Name, which is the one you asked about. It is in the Subject (we call this src_user) and in the actual message (dest_user). In this case we leverage static text in the message before the two values to find both accurately.

    | parse regex "Subject:[\s\S]+?Account\sName:\t+(?<src_user>[^\r]+)" 

    | parse regex "Account\sFor\sWhich\sLogon\sFailed:[\s\S]+?Account\sName:\t+(?<dest_user>[^\r]+)" 

     

    Hope this helps

    Olaf

    0
    Comment actions Permalink
  • Avatar
    Blake Cabus

    This is extremely helpful! Thank you very much

    0
    Comment actions Permalink

Please sign in to leave a comment.