1. 首页
  2. 问答
  3. QRadar SIEM的RegEx

QRadar SIEM的RegEx

2017-01-10 66 views
0

我需要为涉及正则表达式的QRadar SIEM创建定制属性。寻找匹配组Security IDAccount Name的最佳方式,该帐户当前已填充IT-TESTGRP帐户。我们的目标是取消在Group下找到的任何帐户。我很难找出匹配,同时避免在Subject: & Member:找到类似的标准。我只想与Group:QRadar SIEM的RegEx

< 13相关联的帐户> 09年1月12点33分五十秒SRVDC0 AgentDevice = WindowsLog AgentLogFile =安全= PluginVersion来源7.2.4.86 = Microsoft的Windows的安全的审核电脑= SRVDC0.corp .teslab.ca OriginatingComputer = SRVDC0 User = Domain = EventID = 4756 EventIDCode = 4756 EventType = 8 EventCategory = 13826 RecordNumber = 1244048131 TimeGenerated = 1483983229 TimeWritten = 1483983229 Level = 0关键字= 0任务= 0操作码= 0消息=已添加成员到一个支持安全的通用组。主题:安全ID:CORP \ bforeman帐户名称:bforeman帐户域:CORP登录ID:0x220f7a57成员:安全ID:CORP \ jsmith帐户名称:CN = jsmith \,Dan,OU = Exchange用户,DC = corp,DC = testlab ,DC = CA组:安全ID:CORP \ IT-TESTGRP帐户名称:IT-TESTGRP帐户域:CORP附加信息:特权:

来源

2017-01-10 Heisenberg

回答

0

的方法是,以匹配group: Security ID作为图案做如下:

Pattern p = Pattern.compile("Group: Security ID: (\\w+)\\\\([^ ]+) Account Name: ([^ ]+) Account Domain: \\1"); 
Matcher m = p.matcher("Jan 09 12:33:50 SRVDC0 AgentDevice=WindowsLog AgentLogFile=Security PluginVersion=7.2.4.86 Source=Microsoft-Windows-Security-Auditing Computer=SRVDC0.corp.teslab.ca OriginatingComputer=SRVDC0 User= Domain= EventID=4756 EventIDCode=4756 EventType=8 EventCategory=13826 RecordNumber=1244048131 TimeGenerated=1483983229 TimeWritten=1483983229 Level=0 Keywords=0 Task=0 Opcode=0 Message=A member was added to a security-enabled universal group. Subject: Security ID: CORPbforeman Account Name: bforeman Account Domain: CORP Logon ID: 0x220f7a57 Member: Security ID: CORP\\jsmith Account Name: CN=jsmith, Dan,OU=Exchange Users,DC=corp,DC=testlab,DC=ca Group: Security ID: CORP\\IT-TESTGRP Account Name: IT-TESTGRP Account Domain: CORP Additional Information: Privileges:"); 

while(m.find()){ 
System.out.println("domain: "+m.group(1) +", security id: "+m.group(2)+", account Name: "+m.group(3)); 
}

返回

domain: CORP, security id: IT-TESTGRP, account Name: IT-TESTGRP

为了摆脱安全ID之前的组只匹配反斜杠之前的单词,然后确保该单词与使用反向引用的帐户域字符串匹配。

来源

2017-01-10 06:00:54

+0

我用下面的正则表达式来提取组安全ID “CORP \ IT-TESTGRP”'组:\ S +安全\ S + ID: \ s +([^] +)'我无法弄清楚如何正确剥离域(CORP \\)以匹配组名。 – Heisenberg

相关问题

 相关问题