Good morning Protect!
Lets try this again, I feel like i'm making progress with this, I just can't get the final piece. I currently have this:
I have an action to set event field device custom string 4 to $output and when the rule fires my correlated event just has $output in device custom string 4. Why isn't this working? this particular event $message is a unix log and has 30+ digits and I just want the username.
Sorry, I just realized you have things before "user:". So here's a modified version of the regex that I think should work.
$message.replaceAll('Authentication [^\s]+ for [^\s]+ user: ([^\s]+).*','$1')
Sometimes the rules engine can take up to 5 minutes to apply a change I've noticed. If possible I would recommend creating a channel that's very small and has the events you want in it and use that to test your rule. It'll be much faster.
yea i was gonna say that is a lot closer it removed everything after user and left the user name there is another word before authentication as well but it is confidential so I removed it. Do i need to start with that word and add a [^\s]+?
Not quite. Basically I just typed all of the static words in there exactly as they would appear and then for the ones that contain things you don't want to share or may not be static I inserted [^\s]+ (if you're not familiar with it, it means anything except a whitespace character). So in this case if you have a single word in front of "Authentication" and it will always be the same, then you would just need to type that word in front of "Authentication". If that word is somewhat variable, then you would just put "[^\s]+ Authentication..." Let me know how that turns out for you.
To further clarify, you would only need either the word (if static) or the "[^\s]+ " (if not static). You won't need both in this case since it does not have a dynamic value that follows it.
You might need to modify it a little to make sure that it actually matches the things you have in the message field. You have things like <Active Directory> in there that I am guessing are single words with no space characters, but if any of them may contain a space then your regex will need to be modified. If it's just replicating the event.message then that means the regex is not matching. Since we added more in you'll have to compare the logic against the message and see if it looks like it should match to you. Unfortunately since you're not able to share these messages we won't be able to troubleshoot that part of it. But at the least you now have it working and just need to refine the regex. If possible, could you provide a version of the message that has the same number of character (replacing anything you can't share with something of equal value)? That way I can try to troubleshoot the regex vs what you are actually seeing.
Say you have the event message "Classified user: james.jameson account: 1222222" and you can't share the name, number, or word "Classified", then you would put something like this:
"Abcdefghij user: faker.fakeson account: 000000000"
That just shows where special characters or multiple words might exist to help with the regex.
It may also be possible to do this:
But I'm not entirely sure if that would work. That just adds a ".*" saying everything before "user:", but that part might match on "user:" as well and not produce anything. Worth a try if you don't see an easy fix for the regex.
$message.replaceAll('[^\s] Authentication [^\s]+ for [^\s]+ user: ([^\s]+).*','$1')
That should work barring any of the things you enclosed in <> containing spaces.
Sorry I got really busy, all of a sudden and wasn't able to work on this. It is now working! Thank you so much for taking the time to assist me with this!