Hello,
When I run the following query:
{job="windows-security"}
| json
| event_id =~ "4660|4663"
| line_format "{{.computer}} | {{.SubjectUserName}} | {{.timeCreated}} | {{.event_data}}"
The raw information is displayed as follows:
DESKTOP-1PNH21K | | 2025-02-15T06:38:29.7340823Z | <Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>DESKTOP-1PNH21K$</Data><Data Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='ObjectServer'>Security</Data><Data Name='ObjectType'>Process</Data><Data Name='ObjectName'>\Device\HarddiskVolume2\Windows\System32\lsass.exe</Data><Data Name='HandleId'>0x137c</Data><Data Name='AccessList'>%%4484
</Data><Data Name='AccessMask'>0x10</Data><Data Name='ProcessId'>0xcc8</Data><Data Name='ProcessName'>C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24080.9-0\MsMpEng.exe</Data><Data Name='ResourceAttributes'>-</Data>
And:
channel Security
channel_extracted Security
computer DESKTOP-1PNH21K
computer_extracted DESKTOP-1PNH21K
detected_level unknown
eventRecordID 132894
event_data
<Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>DESKTOP-1PNH21K$</Data><Data Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='ObjectServer'>Security</Data><Data Name='ObjectType'>Process</Data><Data Name='ObjectName'>\Device\HarddiskVolume2\Windows\System32\lsass.exe</Data><Data Name='HandleId'>0x137c</Data><Data Name='AccessList'>%%4484
</Data><Data Name='AccessMask'>0x10</Data><Data Name='ProcessId'>0xcc8</Data><Data Name='ProcessName'>C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24080.9-0\MsMpEng.exe</Data><Data Name='ResourceAttributes'>-</Data>
event_id 4663
execution_processId 4
execution_processName System
execution_threadId 2876
job windows-security
keywords Audit Success
levelText Information
logsource windows-eventlog
message An attempt was made to access an object.
Subject:
Security ID: S-1-5-18
Account Name: DESKTOP-1PNH21K$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Object:
Object Server: Security
Object Type: Process
Object Name: \Device\HarddiskVolume2\Windows\System32\lsass.exe
Handle ID: 0x137c
Resource Attributes: -
Process Information:
Process ID: 0xcc8
Process Name: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24080.9-0\MsMpEng.exe
Access Request Information:
Accesses: Read from process memory
Access Mask: 0x10
opCodeText Info
service_name windows-security
source Microsoft-Windows-Security-Auditing
task 12802
taskText Kernel Object
timeCreated 2025-02-15T06:38:29.7340823Z
version 1
Image:
To get the information I want, I ran the following query:
{job="windows-security"}
| json
| event_id =~ "4660|4663"
| parse regex field=event_data "<Data Name='SubjectUserName'>([^<]+)</Data>" as userName
| line_format "{{.computer}} | {{userName}} | {{.timeCreated}} | {{.event_data}}"
But I got the following error:
parse error at line 4, col 9: syntax error: unexpected IDENTIFIER
How to solve it?
Thank you.