3.2 Extracting Data from Windows Log Sources - RX

00:00

So one of the things I mentioned on the last lesson waas that

00:05

anchors off starting and a string are very limited when it comes to real life. Attentional in security tools you took its limitations on due to the way the data comes in, you know, receiver strangers in multiple strings of data and therefore

00:19

you have not received probably what you're looking for.

00:22

So what I did for this example is, since data comes into, let's say A s I e ems and Chung's or in the O. P. Comes in chunks, right? I'm gonna I looked up for

00:33

sis locks examples and I found this little patron O S S E c

00:38

right here. They have different logs and I'm gonna pick the windows.

00:42

Lux, for now. And then we'll go over to different logs during this examples. Right?

00:47

And we have here a system log with copy paste is

00:51

into a red X

00:53

right here. So now that we have that, let me explain a little bit to you. What is this Lexus for? Does that have not experienced top of the year before?

01:03

If you look carefully here in this line, it explains you two fields.

01:07

It's gonna be the date that you can see here,

01:11

followed by the time

01:14

P

01:15

user name

01:17

the week of use

01:19

site Name,

01:23

computer name

01:29

P

01:30

port

01:32

and get

01:33

So

01:34

let's say we want to build a rule

01:37

to capture this sport,

01:38

right?

01:40

What do we have to do?

01:42

Well, first of all, we gotta look

01:44

how to build it.

01:46

We do have numbers all over the place, but what is right before it or right after it that we don't have anywhere else.

01:53

In this case, I peace are shown here

01:57

and here.

01:59

All right.

02:00

Now, the difference being is that this is a second time

02:05

that I p is shown. And there's no eyepiece afterwards, right?

02:08

So there's two ways to do this.

02:10

The 1st 1 was a little bit riskier, but might work Is that for this particular example due to the way the six locks are arriving,

02:19

you can literally do

02:23

right deep.

02:23

No. An I p has between one and three characters, and I pee before, So we're gonna use that as an example for this, right?

02:30

And then you have four different segments are rockets.

02:35

Right? But remember, there's no down at the end. So we're gonna be leaving. They did. So you have here for hits wife or because it's two different sis locks. Injuries. Okay.

02:45

Now,

02:46

what you do is you want to isolate for this 80 here. Now, if you look carefully, always,

02:53

always after this I p

02:57

and this other

02:59

all right, it's gonna be a port while the other one

03:02

I always have

03:04

potentially a site named our user name.

03:07

Right.

03:07

So what we're gonna do is support. It's well, that's time digits while I use her name. Might be,

03:14

uh, makes me to indigents or words, right? So most likely, if your channel used for the user, you do slash W In this case, we will be doing slash d

03:23

and arranges one through five range.

03:25

And yes, I have to Google land because it's not to come and

03:30

to write 12345

03:35

And that support

03:37

now what you'd like to do also, it's make sure you

03:39

block the chances of these being detected somewhere else. You always do a slash D, much as I'm sorry for space, which since there's a space afterwards, right, And there you have it. Now what happens is this particular string captures

03:53

everything

03:53

and we don't want them.

03:55

We want to capture on Lee the port. So we do is we actually create a capture group around this parameter, right? She's parentheses

04:05

and parentheses. Make sure you had it before

04:10

the space. Otherwise, you also captured a space of might

04:14

influence the detection order, color, correlation of tools or detections in your tools. Right?

04:20

So in here you already have. How to capture

04:24

80

04:26

fairly easy right

04:27

now.

04:29

Another day is, for example, for this particular example. Let's say the user name here is 80 s. Well, or let's say 123

04:39

right

04:41

space. Oh, now I get detected. So what happens is

04:46

you have to be careful, and then you have to battle your options, right? So, like I said,

04:50

that was a high risk in the beginning, and it's because this might happen.

04:56

So how do we fix this?

04:57

Well,

04:59

after it is, you know, there's always a word and just not be. It doesn't always have to be get right. But you do have a word.

05:06

Let's say

05:09

plus, because we don't know the range

05:10

followed by a space, right?

05:12

And let's say here

05:15

right. We do have a site namesake called Kevin that we still detect it right. And here's where you know

05:23

the magic happens.

05:25

You're you're I write,

05:28

And here's where we

05:30

break it. Sorry I broke the wrong way,

05:32

and that's how you block it.

05:34

And that's how you're more secure. If you put parameters of both before and after the capture group, you're gonna be a lot more efficient when you're going to capture content for these type of rules or this type of Pat's right?

05:48

So let's say you actually want to capture

05:53

what's right

05:55

over here.

05:57

Have you remember correctly?

05:59

We didn't have this before, So when we build its tragic, you might need to build it if it either the text or it doesn't detect that.

06:05

So, first of all, like I said,

06:08

if you recall correctly,

06:10

if we delete what's afterwards,

06:13

it would detect both of them.

06:15

You can see it's already working. I don't have to build too much before this.

06:19

No

06:20

one thing you have to consider is this'll. Ashton

06:25

This right now it's numbers, but it might be letters. It might be other things. So

06:31

So this is that right? No,

06:38

another thing to consider is that is

06:42

might or might not be there. So we're gonna add

06:45

dysentery. Ation. Another thing to consider is right now we're capturing this

06:50

numbers over here. Sorry.

06:53

And your accent.

06:55

We actually want to capture the ward afterwards. So removed the capture grew from there

07:01

and put it in the next word.

07:05

Sorry,

07:09

bone. And again, if always put something afterwards

07:13

there. And now you're actually be captured this

07:17

But, Kevin, if I'm really capturing their why is this get still being

07:24

detected? While there's different things you can do in this case,

07:27

one of the things is you can either try to hit this next word over here, or you can say, Do not detect slash this case.

07:35

Let's deal with this one first,

07:38

which would be literally slashed. Only you didn't have to put one. If it's just one character,

07:44

if you wanna detect it with symbol or not that simple right, it's a flush. W

07:48

you have to open the brackets for not toe work. Otherwise you're triggering to start.

07:56

So again, break the character

07:59

close of racket

08:01

and there we go,

08:01

not a symbol.

08:05

So it's two alternatives.