# coding=utf8
# the above tag defines encoding for this document and is for Python 2.x compatibility
import re
regex = r"\<Event xmlns\=\'http:\/\/schemas\.microsoft\.com\/win\/\d+\/\d+\/events\/event\'>"
test_str = ("1. Sample Event:\n\n"
"<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-11-27T13:10:29.381318400Z'/><EventRecordID>151284011</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='8768'/><Channel>Security</Channel><Computer>XXX.com</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\\SYSTEM</Data><Data Name='SubjectUserName'>XXX$</Data><Data Name='SubjectDomainName'>EC</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0x3878</Data><Data Name='NewProcessName'>C:\\Program Files (x86)\\Tanium\\Tanium Client\\Patch\\tools\\TaniumExecWrapper.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x41c4</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\\Program Files (x86)\\Tanium\\Tanium Client\\TaniumClient.exe</Data><Data Name='MandatoryLabel'>Mandatory Label\\System Mandatory Level</Data></EventData></Event>\n\n\n"
"2. Sample Event\n\n"
"<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-11-27T14:14:10.024210800Z'/><EventRecordID>151288549</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='17052'/><Channel>Security</Channel><Computer>XXX.com</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\\SYSTEM</Data><Data Name='SubjectUserName'>XXX$</Data><Data Name='SubjectDomainName'>EC</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0x21ac</Data><Data Name='NewProcessName'>C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x2f0</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd.exe</Data><Data Name='MandatoryLabel'>Mandatory Label\\System Mandatory Level</Data></EventData></Event>\n\n"
"3. Sample Event\n\n"
"<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-11-27T14:15:17.894533600Z'/><EventRecordID>151288597</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='9860'/><Channel>Security</Channel><Computer>sXXX.com</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\\SYSTEM</Data><Data Name='SubjectUserName'>XXX$</Data><Data Name='SubjectDomainName'>EC</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0x2fa0</Data><Data Name='NewProcessName'>C:\\Program Files (x86)\\Tanium\\Tanium Client\\Patch\\tools\\TaniumFileInfo.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x37a4</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\\Program Files (x86)\\Tanium\\Tanium Client\\Patch\\tools\\TaniumExecWrapper.exe</Data><Data Name='MandatoryLabel'>Mandatory Label\\System Mandatory Level</Data></EventData></Event>\n\n"
"4. sample event\n\n"
"<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-11-27T14:14:35.584807300Z'/><EventRecordID>151288563</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='6164'/><Channel>Security</Channel><Computer>XXX.com</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\\SYSTEM</Data><Data Name='SubjectUserName'>XXX$</Data><Data Name='SubjectDomainName'>EC</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0x218c</Data><Data Name='NewProcessName'>C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Platform\\10.8560.25364.1036\\SenseCnCProxy.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0xb08</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Platform\\10.8560.25364.1036\\MsSense.exe</Data><Data Name='MandatoryLabel'>Mandatory Label\\System Mandatory Level</Data></EventData></Event>\n\n"
"<Data Name='NewProcessName'>C:\\Program Files (x86)\\Tanium\\Tanium Client\\Patch\\tools\\TaniumExecWrapper.exe</Data>\n"
"<Data Name='ParentProcessName'>C:\\Program Files (x86)\\Tanium\\Tanium Client\\TaniumClient.exe</Data>\n"
"<Data Name='NewProcessName'>C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe</Data>\n"
"<Data Name='ParentProcessName'>C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd.exe</Data>\n"
"<Data Name='NewProcessName'>C:\\Program Files (x86)\\Tanium\\Tanium Client\\Patch\\tools\\TaniumFileInfo.exe</Data>\n"
"<Data Name='ParentProcessName'>C:\\Program Files (x86)\\Tanium\\Tanium Client\\Patch\\tools\\TaniumExecWrapper.exe</Data>\n"
"<Data Name='NewProcessName'>C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Platform\\10.8560.25364.1036\\SenseCnCProxy.exe</Data>\n"
"<Data Name='ParentProcessName'>C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Platform\\10.8560.25364.1036\\MsSense.exe</Data>")
matches = re.finditer(regex, test_str, re.MULTILINE)
for matchNum, match in enumerate(matches, start=1):
print ("Match {matchNum} was found at {start}-{end}: {match}".format(matchNum = matchNum, start = match.start(), end = match.end(), match = match.group()))
for groupNum in range(0, len(match.groups())):
groupNum = groupNum + 1
print ("Group {groupNum} found at {start}-{end}: {group}".format(groupNum = groupNum, start = match.start(groupNum), end = match.end(groupNum), group = match.group(groupNum)))
# Note: for Python 2.7 compatibility, use ur"" to prefix the regex and u"" to prefix the test string and substitution.
Please keep in mind that these code samples are automatically generated and are not guaranteed to work. If you find any syntax errors, feel free to submit a bug report. For a full regex reference for Python, please visit: https://docs.python.org/3/library/re.html