我需要为QRadar SIEM创建一个涉及正则表达式的自定义属性。正在寻找匹配当前使用Security ID帐户填充的论坛Account Name或IT-TESTGRP的最佳方式。目标是取出Group下找到的任何帐户。我很难搞清楚匹配,同时避免在Subject:& Member:。我只想要与Group:
< 13> Jan 09 12:33:50 SRVDC0 AgentDevice = WindowsLog AgentLogFile = Security PluginVersion = 7.2.4.86 Source = Microsoft-Windows-Security-Auditing Computer = SRVDC0.corp.teslab.ca OriginatingComputer = SRVDC0 User = Domain = EventID = 4756 EventIDCode = 4756 EventType = 8 EventCategory = 13826 RecordNumber = 1244048131 TimeGenerated = 1483983229 TimeWritten = 1483983229 Level = 0 Keywords = 0 Task = 0 Opcode = 0 Message =已将成员添加到启用安全性的通用组。主题:安全ID:CORP \ bforeman帐户名:bforeman帐户域:CORP登录ID:0x220f7a57成员:安全ID:CORP \ jsmith帐户名:CN = jsmith \,Dan,OU = Exchange用户,DC = corp,DC = testlab ,DC = ca组:安全ID: CORP \ IT-TESTGRP 帐户名称: IT-TESTGRP 帐户域名:CORP其他信息:权限:
答案 0 :(得分:0)
方法是匹配group: Security ID,如下图所示:
Pattern p = Pattern.compile("Group: Security ID: (\\w+)\\\\([^ ]+) Account Name: ([^ ]+) Account Domain: \\1");
Matcher m = p.matcher("Jan 09 12:33:50 SRVDC0 AgentDevice=WindowsLog AgentLogFile=Security PluginVersion=7.2.4.86 Source=Microsoft-Windows-Security-Auditing Computer=SRVDC0.corp.teslab.ca OriginatingComputer=SRVDC0 User= Domain= EventID=4756 EventIDCode=4756 EventType=8 EventCategory=13826 RecordNumber=1244048131 TimeGenerated=1483983229 TimeWritten=1483983229 Level=0 Keywords=0 Task=0 Opcode=0 Message=A member was added to a security-enabled universal group. Subject: Security ID: CORPbforeman Account Name: bforeman Account Domain: CORP Logon ID: 0x220f7a57 Member: Security ID: CORP\\jsmith Account Name: CN=jsmith, Dan,OU=Exchange Users,DC=corp,DC=testlab,DC=ca Group: Security ID: CORP\\IT-TESTGRP Account Name: IT-TESTGRP Account Domain: CORP Additional Information: Privileges:");
while(m.find()){
System.out.println("domain: "+m.group(1) +", security id: "+m.group(2)+", account Name: "+m.group(3));
}
返回
domain: CORP, security id: IT-TESTGRP, account Name: IT-TESTGRP
为了在安全ID之前删除组,只需匹配反斜杠之前的单词,然后使用反向引用确保该单词与Account Domain字符串匹配。
答案 1 :(得分:0)
我想出来了 - Group:\s+Security\s+ID:\s+.*?\\([^ ]+) - 这是我的用例https://regex101.com/r/5gw5EO/1