Hello,
I'm trying to figure out how to parse Windows Event Security Log date time stamps that come from the QID 5000826 "Success Audit: The system time was changed".
Log Example:
<13>Nov 01 15:28:54 COMPUTER AgentDevice=WindowsLog AgentLogFile=Security PluginVersion=7.2.9.72 Source=Microsoft-Windows-Security-Auditing Computer=COMPUTER OriginatingComputer=10.0.0.1 User= Domain= EventID=4616 EventIDCode=4616 EventType=8 EventCategory=12288 RecordNumber=10584834 TimeGenerated=1572640127 TimeWritten=1572640127 Level=Log Always Keywords=Audit Success Task=SE_ADT_SYSTEM_SECURITYSTATECHANGE Opcode=Info Message=The system time was changed. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x658 Name: C:\Windows\System32\svchost.exe Previous Time: 2019-11-01T20:28:47.886875700Z New Time: 2019-11-01T20:28:47.886932900Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
The problem that I'm running into is that the "New Time:" and "Previous Time" have some sort of non-visible Unicode character in them.
To parse the New Time (or Previous Time), I have to do this regular expression
"New Time:\s{2}\D(\d{4}\D-\D\d{2}\D-\D\d{2}T\d{2}:\d{2}:\d{2}\.\d{9}Z
As you can see from the regular expression before and after each set of digits for the date, I have to use
not a digit to get the match. From doing some more investigation I found that for some reason in the event viewer (not XML view) and Wincollect data from QRadar the left to right mark Unicode character is surrounding each of the parts of the date [ See picture below ].
Anyone else ever run into this? If so is there a solution to parse this properly and then have QRadar format the parsed value into a date-time stamp?
We would like to end up comparing the two times (Previous and New) to create an alert for possible tampering.
Thanks,
#EventParsing
#capture #timedate #unicode #datetime
------------------------------
Richard Giesige
------------------------------