QRadar XDR

 View Only

Unicode Characters in my datetime Windows Event string?

  • 1.  Unicode Characters in my datetime Windows Event string?

    Posted Fri November 01, 2019 04:43 PM
    Edited by Richard Giesige Mon November 04, 2019 05:01 PM

    I'm trying to figure out how to parse  Windows Event Security Log date time stamps that come from the QID 5000826 "Success Audit: The system time was changed". 

    Log Example:
    <13>Nov 01 15:28:54 COMPUTER AgentDevice=WindowsLog AgentLogFile=Security PluginVersion= Source=Microsoft-Windows-Security-Auditing Computer=COMPUTER OriginatingComputer= User= Domain= EventID=4616 EventIDCode=4616 EventType=8 EventCategory=12288 RecordNumber=10584834 TimeGenerated=1572640127 TimeWritten=1572640127 Level=Log Always Keywords=Audit Success Task=SE_ADT_SYSTEM_SECURITYSTATECHANGE Opcode=Info Message=The system time was changed.  Subject:  Security ID:  NT AUTHORITY\LOCAL SERVICE  Account Name:  LOCAL SERVICE  Account Domain:  NT AUTHORITY  Logon ID:  0x3E5  Process Information:  Process ID: 0x658  Name:  C:\Windows\System32\svchost.exe  Previous Time:  ‎2019‎-‎11‎-‎01T20:28:47.886875700Z New Time:  ‎2019‎-‎11‎-‎01T20:28:47.886932900Z  This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
    The problem that I'm running into is that the "New Time:" and "Previous Time" have some sort of non-visible Unicode character in them.

    To parse the New Time (or Previous Time), I have to do this regular expression
    "New Time:\s{2}\D(\d{4}\D-\D\d{2}\D-\D\d{2}T\d{2}:\d{2}:\d{2}\.\d{9}Z
    As you can see from the regular expression before and after each set of digits for the date, I have to use not a digit to get the match. From doing some more investigation I found that for some reason in the event viewer (not XML view) and Wincollect data from QRadar the left to right mark Unicode character is surrounding each of the parts of the date [ See picture below ].
    Copy and pasted from event viewer and QRadar the values show up like this.

    Anyone else ever run into this? If so is there a solution to parse this properly and then have QRadar format the parsed value into a date-time stamp?

    We would like to end up comparing the two times (Previous and New) to create an alert for possible tampering.

    #EventParsing #capture #timedate #unicode #datetime
    Richard Giesige