pC_json4662.md

Parser Content

{
Name = json-4662
  Vendor = Microsoft
  Product = Windows
  Lms = Direct
  DataType = "object-access"
  TimeFormat = "yyyy-MM-dd HH:mm:ss"
  Conditions = ["""An operation was performed on an object""", """"EventID":4662""", """"OperationType":""""]
  Fields = [
    """"TimeGenerated":"({time}\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d\.\d{1,3}Z)"""",
    """"Computer":"({host}[^"]{1,2000})"""",
    """"Hostname":"({host}[^"]{1,2000})""",
    """({event_name}An operation was performed on an object)""",
    """({event_code}4662)""",
    """"EventTime":\s{0,100}"?({time}[^",]{1,2000})""",
    """"EventTime":\s{0,100}"({time}\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d)"""",
    """"SubjectUserSid":"({user_sid}[^"]{1,2000})"""",
    """"SubjectUserName":"({user}[^"]{1,2000})"""",
    """"SubjectDomainName":"({domain}[^"]{1,2000})"""",
    """"ObjectName":"({object}[^"]{1,2000})"""",
    """"ObjectServer":"({object_class}[^"]{1,2000})"""",
    """"ObjectType":"({object_type}[^"]{1,2000})"""",
    """"LogonID":"({logon_id}[^"]{1,2000})"""",
    """"OperationType":"({activity}[^"]{1,2000})"""",
    """"Properties":"(-|({properties}[^"]{1,2000}))"""",
    """"AdditionalInfo":"(?:-|({additional_info}[^"]{1,2000}))""""
  ]


}