use strict;
my $str = '<Event xmlns=\'http:// schemas .microsoft .com/win/2004/08/events/event \'><System><Provider Name=\'Microsoft-Windows-Security-Auditing\' Guid=\'{54849625-5478-4994-a5ba-3e3b0328c30d}\'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime=\'2024-02-21T22:11:25.7542758Z\'/><EventRecordID>4096881</EventRecordID><Correlation/><Execution ProcessID=\'4\' ThreadID=\'1124\'/><Channel>Security</Channel><Computer>{Device_FQDN}</Computer><Security/></System><EventData><Data Name=\'SubjectUserSid\'>S-1-1-11-111111111-111111111-1111111111-111111</Data><Data Name=\'SubjectUserName\'>{user}</Data><Data Name=\'SubjectDomainName\'>{Domain}</Data><Data Name=\'SubjectLogonId\'>0x11111111</Data><Data Name=\'NewProcessId\'>0x5864</Data><Data Name=\'NewProcessName\'>C:\\Users\\{user}\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe</Data><Data Name=\'TokenElevationType\'>%%1936</Data><Data Name=\'ProcessId\'>0x4604</Data><Data Name=\'CommandLine\'></Data><Data Name=\'TargetUserSid\'>S-1-0-0</Data><Data Name=\'TargetUserName\'>-</Data><Data Name=\'TargetDomainName\'>-</Data><Data Name=\'TargetLogonId\'>0x0</Data><Data Name=\'ParentProcessName\'>C:\\Users\\{user}\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe</Data><Data Name=\'MandatoryLabel\'>S-1-11-1111</Data></EventData></Event>
<Event xmlns=\'http:// schemas .microsoft .com/win/2004/08/events/event \'><System><Provider Name=\'Microsoft-Windows-Security-Auditing\' Guid=\'{54849625-5478-4994-a5ba-3e3b0328c30d}\'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime=\'2024-02-21T22:33:19.5932251Z\'/><EventRecordID>4212468</EventRecordID><Correlation/><Execution ProcessID=\'4\' ThreadID=\'31196\'/><Channel>Security</Channel><Computer>{Device_FQNDN</Computer><Security/></System><EventData><Data Name=\'SubjectUserSid\'>S-1-1-11-111111111-111111111-1111111111-111111</Data><Data Name=\'SubjectUserName\'>{user}</Data><Data Name=\'SubjectDomainName\'>{Domain}</Data><Data Name=\'SubjectLogonId\'>0x1111111</Data><Data Name=\'NewProcessId\'>0x7664</Data><Data Name=\'NewProcessName\'>C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe</Data><Data Name=\'TokenElevationType\'>%%1936</Data><Data Name=\'ProcessId\'>0x4238</Data><Data Name=\'CommandLine\'></Data><Data Name=\'TargetUserSid\'>S-1-0-0</Data><Data Name=\'TargetUserName\'>-</Data><Data Name=\'TargetDomainName\'>-</Data><Data Name=\'TargetLogonId\'>0x0</Data><Data Name=\'ParentProcessName\'>C:\\Users\\{user}\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe</Data><Data Name=\'MandatoryLabel\'>S-1-11-1111</Data></EventData></Event>';
my $regex = qr/NewProcessName.*?Teams\.exe<\/Data>.*?ParentProcessName/mp;
if ( $str =~ /$regex/g ) {
print "Whole match is ${^MATCH} and its start/end positions can be obtained via \$-[0] and \$+[0]\n";
# print "Capture Group 1 is $1 and its start/end positions can be obtained via \$-[1] and \$+[1]\n";
# print "Capture Group 2 is $2 ... and so on\n";
}
# ${^POSTMATCH} and ${^PREMATCH} are also available with the use of '/p'
# Named capture groups can be called via $+{name}
Please keep in mind that these code samples are automatically generated and are not guaranteed to work. If you find any syntax errors, feel free to submit a bug report. For a full regex reference for Perl, please visit: http://perldoc.perl.org/perlre.html