<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4624</EventID><Version>2</Version><Level>0</Level><Task>12544</Task>
This is a text. I want to write a regex that checks if the text contains Windows and EventID 4624 or 4625.
How am I supposed to do that?
regexp : .*Windows.*<EventID>\\b(4624|4625)\\b</EventID>.*
my expression is not working.
Can anyone help?
Hi @anurag.q.singh
This is likely as you haven't escaped the backslash in the last EventID call in brackets. Please see if the below works:
.*Windows.*<EventID>\\b(4624|4625)\\b<\\/EventID>.*
Kind Regards,
Ayman
Hi @anurag.q.singh
This is likely as you haven't escaped the backslash in the last EventID call in brackets. Please see if the below works:
.*Windows.*<EventID>\\b(4624|4625)\\b<\\/EventID>.*
Kind Regards,
Ayman
$cap = re.capture($var, .*Windows.*<EventID>\\b(4624|4623)\\b<\\/EventID>.*)
Error :
tokenizing: regex not terminated: /EventID>.*)
$cap = re.capture($var, .*Windows.*<EventID>\\b(4624|4623)\\b<\\/EventID>.*)
Error :
tokenizing: regex not terminated: /EventID>.*)
Hi @anurag.q.singh,
The below should work - essentially within a 're.capture'[1] (the function you're using) you can't pass a variable to the first argument. Secondly, the way you were initiating the regex pattern was incorrect, as there was no " or ", or / or / like the below. Hope this helps!
rule Regex_Example {
meta:
author = "Ayman C"
description = "Regex example"
events:
// $event.metadata.product_event_type = "1"
// $event.metadata.description = "4688"
$event.metadata.event_type = "PROCESS_LAUNCH"
$event.target.process.command_line = $Commandline
$capture = re.capture($event.target.process.command_line, /.*Windows.*<EventID>\\b(4624|4623)\\b<\\/EventID>.*/)
condition:
$event
}
[1] -
Kind Regards,
Ayman C
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.