I have the below relevance that works:
Q: (time generated of it, (concatenation of substrings separated by “%0d%0a” of (preceding text of first “%0d%0a%09” of following text of first “Account Name:%09%09” of it), concatenation of substrings separated by “%0d%0a” of (preceding text of first “%0d%0a%09” of following text of first “New Process Name:%09” of it)) of (descriptions of it)) of records whose (event id of it = 4688 and ((preceding text of first “%0d%0a%09” of following text of first “Account Name:%09%09” of it) of description of it contains “.mit”) and (((preceding text of first “%0d%0a%09” of following text of first “New Process Name:%09” of it) of description of it contains “iexplore.exe”) or ((preceding text of first “%0d%0a%09” of following text of first “New Process Name:%09” of it) of description of it contains “MicrosoftEdgeCP.exe”))) of (security event log)
which queries windows event logs to show when an account name containing a string launches a process. The relevance is SLOW and is resolving in around ~500,000ms. Anyways, the issue at hand is that I am trying to return a shortend “New Process Name” string. It currently returns the full path as show below:
How can I obtain ONLY the “iexplore.exe” or "MicrosoftEdgeCP.exe "?
I have tried the below relevance (taking out the “Account Name” concatenation for shorter test times), but keep getting “singular expression refers to non-existent object”:
Q: (time generated of it, (concatenation of substrings separated by “%0d%0a” of (following text of last “%22” of it) of (preceding text of first “%0d%0a%09” of it) of (following text of first “New Process Name:%09” of it)) of (descriptions of it)) of records whose (event id of it = 4688 and ((preceding text of first “%0d%0a%09” of following text of first “Account Name:%09%09” of it) of description of it contains “.mit”) and (((preceding text of first “%0d%0a%09” of following text of first “New Process Name:%09” of it) of description of it contains “iexplore.exe”) or ((preceding text of first “%0d%0a%09” of following text of first “New Process Name:%09” of it) of description of it contains “MicrosoftEdgeCP.exe”))) of (security event log)
E: Singular expression refers to nonexistent object.
Q: (time generated of it, (parenthesized part 2 of it & “” & parenthesized part 1 of it & ", " & parenthesized part 3 of it) of (matches (regex “(?!.New Process Name.)iexplore.exe”) of descriptions of it)) of records whose (event id of it = 4688 and ((preceding text of first “%0d%0a%09” of following text of first “Account Name:%09%09” of it) of description of it contains “.mit”) and (((preceding text of first “%0d%0a%09” of following text of first “New Process Name:%09” of it) of description of it contains “iexplore.exe”) or ((preceding text of first “%0d%0a%09” of following text of first “New Process Name:%09” of it) of description of it contains “MicrosoftEdgeCP.exe”))) of (security event log)
E: The expression could not be evaluated: Regex Error - No preceding re for repetition op.
I tested the Regex as well on regex101.com; its solid, unless I am using the wrong language or something.
Here is what I came up with based on a similar query I was working on, not tested with your variables but give it a shot:
q: (time generated of it, (parenthesized part 1 of it & ", " & parenthesized part 2 of it) of (matches (regex "Subject:.*Account Name:%09.+(.*\.mit)%0d%0a%09.*Process Information:.*New Process Name:%09.*(iexplore.exe|MicrosoftEdgeCP.exe)%0d%0a%09Token Elevation Type:") of description of it)) of records whose (event id of it = 4688) of security event log
Got it!
Thanks @Sean for the direction. I am good with Regex but was not aware of all the POSIX limitations compared to other languages (see http://www.regular-expressions.info/posix.html)! Quite a challenge to work with these limitations.
q: (time generated of it, (parenthesized parts of (matches (regex “New Process Name.*\([[:word:]]+.exe)”) of description of it))) of records whose (event id of it = 4688) of security event log
A: ( Mon, 16 Apr 2018 03:12:58 -0500 ), cmd.exe
A: ( Mon, 16 Apr 2018 03:12:59 -0500 ), cmd.exe
A: ( Mon, 16 Apr 2018 03:12:59 -0500 ), conhost.exe
A: ( Mon, 16 Apr 2018 03:12:59 -0500 ), wmiprvse.exe
…will return all. Now I just have to filter them. Will post my filter when done
Final product. Will filter results only by accounts ending with .mit or .bps, or only accounts with the word admin in them (even if it has a - in it). Will also filter only for a few web browser processes. My goal was to detect admin accounts launching web browsers. Note to readers. The parenthesized part # of it represents the capturing group number returned. I recommend using regex101.com to show you which capturing groups will return what you need to capture in your analysis results. Unfortunately, POSIX ERE does not support non-capturing groups, so you have to know what number to return. Also note the [^$]. This is what I use to filter our events that have no account name, but has the computer name instead. Such events always seem to place the computer name followed by a $ symbol. Therefore, the [^$] will not return those events.
q: ((month of it as two digits & “/” & day_of_month of it as two digits & “/” & year of it as string) of dates (local time zone) of times generated of it, (time of times (local time zone) of times generated of it), computer name, (parenthesized part 1 of it & ", " & parenthesized part 6 of it & ", " & parenthesized part 8 of it) of (matches (regex “Account Name:%09%09(([^$]+.)|([^$]*admin(\w|-)*)).+New Process Name:.*[[:punct:]]((iexplore|MicrosoftEdgeCP|firefox|chrome).exe)%0d%0a%09Token Elevation Type:.*(193\d)”) of description of it)) of records whose (event id of it = 4688) of security event log
Do take care using this. Don’t apply it as an Analysis Property, rather use this in an Action to generate a result and then retrieve the result in an Analysis.
A query that takes 400 seconds in the debugger will likely take over 10 hours in the native client (based on the throttled client taking about 80x as long as the debugger).
I do not think that estimate is still relevant; I only say that because of the default “BESClient_Resource_InterruptSeconds” setting. This is the timeout before an “error” is returned by the client due to “inspector interrupted”. AKA: timeout. the client has a maximum setting of 600 seconds from my understanding. Regardless, my clients seem to be returning expected results in less than that time as they show results. My original syntax without using the RegEx was returning the “error: inspector interrupted” due to the relevance taking greater than 600 seconds to evaluate.
perhaps that has to do with the type of evaluation performed in the QnA; I was not using the Local Client Evaluator, rather, I was using the other option to run the query.
Oh, great to hear. If you were already evaluating in native client mode that doesn’t sound like a problem, but I’d still be careful about how frequently to evaluate the property.