const regex = /\<Event xmlns\=\'http:\/\/schemas\.microsoft\.com\/win\/\d+\/\d+\/events\/event\'>/gm;
// Alternative syntax using RegExp constructor
// const regex = new RegExp('\\<Event xmlns\\=\\\'http:\\\/\\\/schemas\\.microsoft\\.com\\\/win\\\/\\d+\\\/\\d+\\\/events\\\/event\\\'>', 'gm')
const str = `1. Sample Event:
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-11-27T13:10:29.381318400Z'/><EventRecordID>151284011</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='8768'/><Channel>Security</Channel><Computer>XXX.com</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\\SYSTEM</Data><Data Name='SubjectUserName'>XXX\$</Data><Data Name='SubjectDomainName'>EC</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0x3878</Data><Data Name='NewProcessName'>C:\\Program Files (x86)\\Tanium\\Tanium Client\\Patch\\tools\\TaniumExecWrapper.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x41c4</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\\Program Files (x86)\\Tanium\\Tanium Client\\TaniumClient.exe</Data><Data Name='MandatoryLabel'>Mandatory Label\\System Mandatory Level</Data></EventData></Event>
2. Sample Event
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-11-27T14:14:10.024210800Z'/><EventRecordID>151288549</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='17052'/><Channel>Security</Channel><Computer>XXX.com</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\\SYSTEM</Data><Data Name='SubjectUserName'>XXX\$</Data><Data Name='SubjectDomainName'>EC</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0x21ac</Data><Data Name='NewProcessName'>C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x2f0</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd.exe</Data><Data Name='MandatoryLabel'>Mandatory Label\\System Mandatory Level</Data></EventData></Event>
3. Sample Event
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-11-27T14:15:17.894533600Z'/><EventRecordID>151288597</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='9860'/><Channel>Security</Channel><Computer>sXXX.com</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\\SYSTEM</Data><Data Name='SubjectUserName'>XXX\$</Data><Data Name='SubjectDomainName'>EC</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0x2fa0</Data><Data Name='NewProcessName'>C:\\Program Files (x86)\\Tanium\\Tanium Client\\Patch\\tools\\TaniumFileInfo.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x37a4</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\\Program Files (x86)\\Tanium\\Tanium Client\\Patch\\tools\\TaniumExecWrapper.exe</Data><Data Name='MandatoryLabel'>Mandatory Label\\System Mandatory Level</Data></EventData></Event>
4. sample event
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-11-27T14:14:35.584807300Z'/><EventRecordID>151288563</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='6164'/><Channel>Security</Channel><Computer>XXX.com</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\\SYSTEM</Data><Data Name='SubjectUserName'>XXX\$</Data><Data Name='SubjectDomainName'>EC</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0x218c</Data><Data Name='NewProcessName'>C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Platform\\10.8560.25364.1036\\SenseCnCProxy.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0xb08</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Platform\\10.8560.25364.1036\\MsSense.exe</Data><Data Name='MandatoryLabel'>Mandatory Label\\System Mandatory Level</Data></EventData></Event>
<Data Name='NewProcessName'>C:\\Program Files (x86)\\Tanium\\Tanium Client\\Patch\\tools\\TaniumExecWrapper.exe</Data>
<Data Name='ParentProcessName'>C:\\Program Files (x86)\\Tanium\\Tanium Client\\TaniumClient.exe</Data>
<Data Name='NewProcessName'>C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe</Data>
<Data Name='ParentProcessName'>C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd.exe</Data>
<Data Name='NewProcessName'>C:\\Program Files (x86)\\Tanium\\Tanium Client\\Patch\\tools\\TaniumFileInfo.exe</Data>
<Data Name='ParentProcessName'>C:\\Program Files (x86)\\Tanium\\Tanium Client\\Patch\\tools\\TaniumExecWrapper.exe</Data>
<Data Name='NewProcessName'>C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Platform\\10.8560.25364.1036\\SenseCnCProxy.exe</Data>
<Data Name='ParentProcessName'>C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Platform\\10.8560.25364.1036\\MsSense.exe</Data>`;
// Reset `lastIndex` if this regex is defined globally
// regex.lastIndex = 0;
let m;
while ((m = regex.exec(str)) !== null) {
// This is necessary to avoid infinite loops with zero-width matches
if (m.index === regex.lastIndex) {
regex.lastIndex++;
}
// The result can be accessed through the `m`-variable.
m.forEach((match, groupIndex) => {
console.log(`Found match, group ${groupIndex}: ${match}`);
});
}
Please keep in mind that these code samples are automatically generated and are not guaranteed to work. If you find any syntax errors, feel free to submit a bug report. For a full regex reference for JavaScript, please visit: https://developer.mozilla.org/en/docs/Web/JavaScript/Guide/Regular_Expressions