re = /(?:ParentProcessName).+(?:Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe)/m
str = '<Event xmlns=\'http://schemas.microsoft.com/win/2004/08/events/event\'><System><Provider Name=\'Microsoft-Windows-Security-Auditing\' Guid=\'{54849625-5478-4994-A5BA-3E3B0328C30D}\'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime=\'2023-11-21T18:59:45.001877100Z\'/><EventRecordID>1190634810</EventRecordID><Correlation/><Execution ProcessID=\'4\' ThreadID=\'12064\'/><Channel>Security</Channel><Computer>SW</Computer><Security/></System><EventData><Data Name=\'SubjectUserSid\'>NT AUTHORITY\\SYSTEM</Data><Data Name=\'SubjectUserName\'>S</Data><Data Name=\'SubjectDomainName\'>MF</Data><Data Name=\'SubjectLogonId\'>0x3e7</Data><Data Name=\'NewProcessId\'>0x1ec0</Data><Data Name=\'NewProcessName\'>C:\\Windows\\System32\\cscript.exe</Data><Data Name=\'TokenElevationType\'>%%1936</Data><Data Name=\'ProcessId\'>0x1b24</Data><Data Name=\'CommandLine\'></Data><Data Name=\'TargetUserSid\'>NULL SID</Data><Data Name=\'TargetUserName\'>-</Data><Data Name=\'TargetDomainName\'>-</Data><Data Name=\'TargetLogonId\'>0x0</Data><Data Name=\'ParentProcessName\'>C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe</Data><Data Name=\'MandatoryLabel\'>Mandatory Label\\System Mandatory Level</Data></EventData></Event>'
# Print the match result
str.scan(re) do |match|
puts match.to_s
end
Please keep in mind that these code samples are automatically generated and are not guaranteed to work. If you find any syntax errors, feel free to submit a bug report. For a full regex reference for Ruby, please visit: http://ruby-doc.org/core-2.2.0/Regexp.html