0

I am creating a Splunk alert for Active Directory events when anything gets moved. I am having troubles with implementing regex on the search.

So I created a regex like this:

=(\b\w+.\w?.?.?\w+\s?\w+),(?:.?.?.?)(\w+\s?\w+),(?:.?.?.?)(\w+\s?\w+),(?:.?.?.?)(\w+\s?\w+)

It's not really working like I would like to. The sample data I am working with looks like this:

CN=User Test,OU=Admins,OU=Users,OU=Test,OU=12Test Test,DC=test,DC=test12,DC=test,DC=test
CN=User T. Test ADM,OU=Users,OU=Test,OU=Test,DC=test12,DC=test,DC=abc,DC=test

The issue is I need to ignore CN= and the OU= and only get the strings afterwards with ignoring anything after DC= and extract those values as a variable or an accessible string.

For Example I'd want my output to look like this in the alert

User Account <CN= String> moved from <12Test> <Test> <Users>
Mads Hansen
  • 63,927
  • 12
  • 112
  • 147
NotAProfessional
  • 13
  • 2
  • Using `?` means making it optional. How do you get this string `User Account`? Is `User` from the string and account added by you? Is there any logic to the pattern? Can there for example be more groups? – The fourth bird Aug 21 '23 at 16:31
  • @Thefourthbird I suppose it could be worded better, a better example for the output would be like this exampleOutput= "User Account " + StringFromCN " Moved From " + StringFromOU + StringFromOU + StringFromOU There can be more groups which is sort of the biggest issue I am running into, the way it is logged is kind of backwards as well, but you can't really change that. the last OU should technically be the first and so on and so forth to follow how you would actually traverse the AD. You could have more or less OU's. – NotAProfessional Aug 21 '23 at 16:44
  • ldap/ad data is structured, but it is *not* of a fixed size - the breaker is the comma character (except, of course, when it isn't :) ). Your initial example even showcases this with multiple `OU=` clauses :) ...it may be better to look at AD on a "snapshot-like" basis, and compare the *current* state of an object with the *former* state of the object – warren Aug 22 '23 at 12:00

1 Answers1

0

when extract the desired information from your sample data in Splunk using regular expressions (regex), you can use Splunk's rex command. Here's a Splunk search query that will help you achieve the desired output:

index=your_index sourcetype=your_sourcetype
| rex field=_raw "CN=(?<cn>[^,]+),OU=(?<ou>[^,]+),OU=(?<ou>[^,]+),OU=(?<ou>[^,]+),DC=(?<dc>[^,]+),DC=(?<dc>[^,]+),DC=(?<dc>[^,]+),DC=(?<dc>[^,]+)"
| eval message="User Account <CN= $cn$> moved from <$ou$>"
| table message

The reason why is this is explanation index=your_index sourcetype=your_sourcetype: Replace your_index and your_sourcetype with the appropriate values to specify the index and sourcetype of your Active Directory events.

rex field=_raw ...: This command uses the rex command to perform regular expression extraction on the _raw field, which typically contains the raw log data.

The regex pattern "CN=(?<cn>[^,]+),OU=(?<ou>[^,]+),OU=(?<ou>[^,]+),OU=(?<ou>[^,]+),DC=(?<dc>[^,]+),DC=(?<dc>[^,]+),DC=(?<dc>[^,]+),DC=(?<dc>[^,]+)" captures the values following CN=, OU=, and DC= in your log data. It creates named capture groups (cn, ou, and dc) for each of these values.

eval message="User Account <CN= $cn$> moved from <$ou$>": This eval command creates a new field called message where you can format the output message as desired. It includes the extracted values from the named capture groups.

table message: This command selects only the message field for display in the search results.

After running this Splunk search query, the output should provide you with the desired format, where "User Account" is followed by the CN value and "moved from" is followed by the OU values.

RichG
  • 9,063
  • 2
  • 18
  • 29
Nhu-Nguyen
  • 22
  • 1