pC_pam360apploginad.md

Parser Content

{
Name = pam360-app-login-ad
  DataType = "app-login"
  Conditions= [ """User_Logged_in_-_AD""", """Success""" ]
  Fields = ${ManageEngineParserTemplates.pam360-app-activity.Fields}[
    """({activity}User_Logged_in_-_AD)""",
    """\sResourceAudit:({user}[^:]{1,2000}):({src_ip}[A-Fa-f:\d\.]{1,2000})""",
    """RDP_initiated_from_PAM360_to_({dest_ip}[A-Fa-f:\d\.]{1,2000})""",
    """Success\s[\w\-\.]{1,200}\s\-({user}[^:]{1,200})""",
    """({app}PAM360)"""
]    


pam360-app-activity = {
  Vendor = ManageEngine
  Product = PAM360
  Lms = Direct
  TimeFormat = "yyyy/MM/dd HH:mm:ss"
  Fields = [
    """\w+\s{1,100}\d{1,100}\s{1,100}\d\d:\d\d:\d\d\s{1,100}({host}[\w\-.]{1,2000})""",
    """({time}\d\d\d\d\/\d\d\/\d\d \d\d:\d\d:\d\d)""",
    """({outcome}Success)""",
    ]
 },

adssp-events = {
  Vendor = ManageEngine
  Product = ADSSP
  Lms = Direct
  TimeFormat = "epoch"
  Fields = [
    """TIME\\?=({time}\d{10,13})""",
    """dvchost=({host}[\w\-.]{1,2000})""",
    """LOGIN NAME\\?=(({user_email}[^@"]{1,2000}@[^"\.]{1,2000}.[^"]{1,2000})|({user}[^\s\]]{1,2000}))""",
    """DOMAIN NAME\\?=(-|({domain}[^\]]{1,2000}))""",
    """IP\\?=({src_ip}[a-fA-F\d.:]{1,2000})""",
    """ACTION_NAME\\?=(-|({event_name}[^\]]{1,2000}))""",
    """STATUS\\?=({additional_info}[^\]]{1,2000})""",
    """({app}ADSSP)"""
  ]
 
}