Post by chuckj on Mar 23, 2015 19:59:08 GMT
Here is the code for the public parser that is used by Sumo. Currently, Sumo does not support the use of a /public or /private parser within their Field Extraction rules. So, if you want to field extract high priority Windows events, you would have to create your own parser. I hope this saves you some time. I restrict down the scope what would come into this field extraction rule by only looking at key event codes I am interested in from a security perspective. I will post another thread on which codes you may want to pay particular attention too. That data will be based on numerous inputs from the web and from Sumo themselves.
Also, I don't use the normalized field "wkstation". I just stay with src_host, dest_host only. I will post another thread on suggested normalized field names as well.
extract "CategoryString = \"(?<category>[^\"]+?)\";[\s\S]+?Logfile = \"Security\"" nodrop |
extract "Logfile = \"Security\";[\s\S]+?Logon Account:\s(?<dest_user>[^\r\n]+?)(?:\n|\r)" nodrop |
extract "Logfile = \"Security\";[\s\S]+?Account Name:[\s&&[^\r]]+(?<src_user>[^\r]+?)\r" nodrop |
extract "Logfile = \"Security\";[\s\S]+?Subject:[\s\S]+?Account Name:[\s&&[^\r]]+(?<src_user>[^\r]+?)\r[\s\S]+?Account Name:[\s&&[^\r]]+(?<dest_user>[^\r\"]+?)(?:\r|\"" nodrop |
extract "Logfile = \"Security\";[\s\S]+?Account Domain:[\s&&[^\r]]+(?<src_domain>[^\r\"]+?)(?:\r|\"" nodrop |
extract "Logfile = \"Security\";[\s\S]+?Subject\s*:[\s\S]+?Account Domain:[\s&&[^\r]]+(?<src_domain>[^\r]+?)\r[\s\S]+?Account Domain:[\s&&[^\r]]+(?<dest_domain>[^\r]+?)(?:\r|\"" nodrop |
extract "Logfile = \"Security\";[\s\S]+?Logon Process(?: Name|):[\s&&[^\r]]+(?<logon_process>[^\r\"]+?)(?:\s|\"" nodrop |
extract "Logfile = \"Security\";[\s\S]+?Workstation Name:\s(?<wkstation>[^\r]+?)\r" nodrop |
extract "Logfile = \"Security\";[\s\S]+?Source Workstation:\s+(?<wkstation>[^\r]+?)\r" nodrop |
extract "Logfile = \"Security\";[\s\S]+?Client Address:[\s&&[^\r]]+(?<src_ip>[^\r]+?)\r" nodrop |
extract "Logfile = \"Security\";[\s\S]+?Client Port:\s+?(?<src_port>\d+)" nodrop |
extract "(?:Failure|Error|Result) Code:\s+?(?<result_code>0x[A-Fa-f\d]+)\b" nodrop |
extract "Logfile = \"Security\";[\s\S]+?Pre-Authentication Type:\s(?<preauth_type>[\d-]+?)\r" nodrop |
extract "Logfile = \"Security\";[\s\S]+?Group Name:[\s&&[^\r]]+(?<group_name>[^\r]+?)\r" nodrop |
extract "Logfile = \"Security\";[\s\S]+?Group Domain:[\s&&[^\r]]+(?<group_domain>[^\r\"]+?)(?:\r|\"" nodrop |
extract "Logfile = \"Security\";[\s\S]+?Subject:[\s\S]+?Account Name:[\s&&[^\r]]+(?<src_user>[^\r]+?)\r[\s\S]+?Member:[\s\S]+?Account Name:[\s&&[^\r]]+(?<dest_user>[^\r\"]+?)\r[\s\S]+?Group:[\s\S]+?(?:Account|Group) Name:[\s&&[^\r]]+(?<group_name>[^\r\"]+?)\r\s+?(?:Account|Group) Domain:[\s&&[^\r]]+(?<group_domain>[^\r\"]+?)\r" nodrop |
extract "Logfile = \"Security\";[\s\S]+?Logon Type:\s\s\s(?<logon_type>\d+)\b" nodrop |
extract "Logfile = \"Security\";[\s\S]+?Failure Reason:\s\s(?<fail_reason>[^.\r]+?)[.\r]" nodrop |
extract "Failure Reason:[\s\S]+?Status:[\s\S]+?Sub Status:\s\s(?<result_code>0x[A-Fa-f\d]+)\b" nodrop |
extract "Logfile = \"Security\";[\s\S]+?Source Network Address:[\s&&[^\r]]+(?<src_ip>[^\r]+?)\r" nodrop |
extract "Logfile = \"Security\";[\s\S]+?Source Port:\s\s(?<src_port>\S+)\s" nodrop |
extract "Logfile = \"Security\";[\s\S]+?Process ID:[\s&&[^\r]]+(?<process_id>[^\r]+?)\r" nodrop |
extract "Logfile = \"Security\";[\s\S]+?Process Name:[\s&&[^\r]]+(?<process_name>\S[^\r\"]*?)(?:\r|\""
Thanks,
Chuck